Category: Internet Security

US Warning to Disable Java on Web Browsers

jamesg Leave a comment

On Jan 10th, The US Computer Emergency Readiness Team, has announced that there is a vulnerability in certain Java systems, specifically affecting JSE 7, JDK 7, and JRE 7. And they have recommended that you disable Java on your web browsers. Based on this, there have been quite a lot of information exchange on the Web, none (unfortunately) pointing to the actual US-CERT website (linked above), but everyone giving tips on how to disable Java.

In order to disable Java on browser, follow these official guidelines from Java website.

This issue was taken up by a number of news agencies and blogs and they immediately jumped into the opportunity to publish a post on how to disable Java, helping the readers. While it is a good thing, it is quite bad not linking to the original release about the issue, which gives much more information about the issue than these news reports.

How It Will Impact You?

 

The attacker targeting this vulnerability in Java will need to push a malicious Java application (known as an applet) into your system and will try to gain control over it without authorization. However, this cannot be instigated without authorization from your part. In essence, the attacker can gain control only if you specifically allow the Java applet to run.

Within your browser (if you are browsing the malicious code), the message will appear asking whether you want to run the Java applet or not. If you simply click ‘no’, it will not affect your system.

The update on this issue is not yet positive. Oracle is still working on a fix, and until one is found you can either disable Java from your browsers or be cautious about the applets you run.

[Update: ]

Updating Java

 

Oracle released an update for Java to fix the security vulnerability, although the experts do not believe the vulnerability has been fixed yet.

However, it is at your best interest to update Java at this point. Here is how.

Windows

 

Within Control Panel, go to Java Control Panel.

Even if the automatic update option is checked, Java will not update if it is disabled. Hence, update it manually. Check this figure out.

Updating Java on Windows

 

Mac OS

 

Within Apple Mac, you need to check for software updates, and if the Java update becomes available, it will be displayed in the updates section. Check this out:

Java update on Mac

 

[Update: ]

Facebook has been hacked into, utilizing the same Zero-day Java exploit. It is much better to disable Java altogether when you are using all kinds of social networks [follow the steps outlined in the Oracle link above]. On various browsers, you have the option of running a plugin automatically if the website is trusted. Look below:

Chrome plugin settings

 

I would recommend you turn on ‘ask’ option by default. Also, in Chrome, in settings, it is better to enable the ‘click to play’ option under Settings->Content Settings->Plug-ins.

Chrome content settings

 

This will not only disable automatically playing any Java applet, but also make the website loading much faster as all of the plugins will be disabled until you click on it to play. Which means, you won’t be annoyed by those websites containing auto-play movies that begin to play as soon as you visit the page.

[Update: ]

If you haven’t yet updated Java, this seems to be the perfect time to do so. Oracle has released a critical update, Java 7 update 25 that will replace your Java 6 installation. The update will be automatically provided to your Java installation.

This critical update is capable of fixing almost 37 of the security loopholes that Java currently has. For instructions on enabling the Java Console for the update, visit Oracle here. 7u25 update also has a certificate revocation check feature that ensures that the digital certificates associated with a signed applet has the valid unrevoked certificate.

Checking SSL Certificates of Websites Before Transacting Online

jamesg Leave a comment

Have you ever done shopping online? Do you do banking transactions through the Internet? Do you use popular services like Gmail, Facebook, PayPal, etc.? If so, you may have heard about SSL/TLS. SSL stands for Secure Sockets Layer and TLS is Transport Layer Security. These are encryption protocols that provide high quality security to sites that provide important services. TLS is simply the upgraded version of SSL, and there is no other difference between them.

Almost all secure websites out there use SSL encryption protocol, and the details of the protocol can be identified by your browser itself.

Let’s see how you can verify if a site uses proper SSL certificate and is hence adjudged secure.

The first step of identifying the website’s authority is done by the web browser itself. Most of the current browsers analyze the SSL/TLS details of a website before directing you to it. To get an idea, just visit your bank’s website. Most probably your bank will identify itself as a secure website. In certain cases, the secure connection is given when you are about to log into your online banking account.

Bank of america SSL

 

The first step of identifying an SSL-enabled website is from its URL. The URL most probably will have Hypertext Transfer Protocol Secure (HTTPS) on it. As in https://www.facebook.com, the secure version of Facebook. When you go to this page, Facebook will automatically ask you if you want to enable SSL for future Facebook interactions. You can say yes.

If the website proclaims it is secure and doesn’t give ‘https’ in its URL, then you should be suspicious.

SSL on Browsers

 

All browsers out there can identify SSL and the data given by it. Digital certificates created by SSL providers for various websites can be verified on your browser. In Google Chrome, you will see a green ‘https’ lock icon on the address bar or the company name itself in green to identify valid SSL. If you click on it, you will see what kind of a digital certificate the website uses.

Facebook's SSL

 

Also, Chrome has a number of warning messages and icons that can identify what a message actually means. For instance, https with an ‘x’ mark and a red strikethrough signifies high risk insecure content or problems with SSL certificate.

In the same way, a tiny yellow triangle above the lock icon indicates a certain amount of insecure content on the page.

In Firefox, the SSL is given in the same way on the address bar. The company name is given in green color.

BoA identified by Firefox

 

In Internet Explorer, the entire address bar becomes light green in color when it identifies a secure connection.

IE identifying PayPal

 

When there is an error with the SSL certificate of a website, the browser provides you with an error message. For instance, go to the website “tv.eurosport.com” and you will be able to visit the page without any issues. Just add ‘https://’ to it (https://tv.eurosport.com), and your browser will display warning message.

Warning message on Chrome

 

Fetching SSL Details

 

There are different versions of SSL. Each upgraded version has added better security and protection against a prevalent threat. When you check the SSL digital certificate of a website, you will be able to get important information about the website, such as the name of the organization and its address.

To see the details of a digital certificate, on Chrome, simply click on ‘Certificate Information’ available under the connection tab that opens when you click on the green lock icon identifying the site.

In Firefox, click on ‘More Information’ and then ‘View Certificate’. And on IE, simply click on the lock icon and then ‘View Certificates’.

Once you get the digital certificate interface, you will find the details tab that lists some very important details. Here, you can find the validity and expiry date of the certificate, the entity to which it was issued, and the name of the issuer.

Besides your browser, you can use some online services that provide the details of a website’s SSL. Here are some of them:

1. Verisign SSL Toolbox: Verisign’s SSL services are now owned by Symantec.
2. Networking4All Site check
3. Qualys SSL Labs check

Conclusion

 

SSL/TLS have evolved in different versions. It is good to know which version of the protocol your bank is using. To spot differences, read this technical PDF. Always go with proper security on online transactions. You should know how to identify dangerous websites. If you ever suspect a website of doing Phishing or spamming, immediately report it.

How to Find If a Website Is Dangerous?

jamesg Leave a comment

Every day, millions of people purchase things online. Several thousands of them fall prey to online scams such as Phishing and malware. There are a huge number of websites which can automatically steal information from you while you are browsing, doing social media updates, or transacting online.

Most of these attacks come from websites which purport to be genuine to steal important information from you—an attack strategy popularly known as Phishing. This Internet security threat occurs mostly to people who use Internet for purchasing things or banking.

In this article, let’s look at some ways to find out if a website or an order form you find online could actually get you into trouble.

Investigate the Domain

 

Every website has a domain name. Examples: google.com, facebook.com, bluebugle.org, etc. This is the most basic website address. For instance, if you have a website address (look at the address bar of your browser) in the form of “a.b.com/purchase/buy/buy.aspx?num=33”, how will find out its domain name?

The simple technique is thus: find the TLD (Top Level Domain, such as .com, .org, .ca, .us, .co.uk, .co.in, etc.) Once you find the TLD, your domain name search will be easy. The domain name is the combination of the word preceding the TLD (excluding the dot) and the TLD. In the example given, the domain name is b.com.

In this way, you will be able to distinguish between website address that are genuine and those that look genuine.

Example:

Threat.google.com/threat.html: genuine page from Google domain
Google.x.com/genuine.html: a page from x.com which is not at all affiliated to Google in any official capacity.

 

Once you know the domain name, you know if the website is genuine or not. For instance, if you click a link and get to the website of your bank but the domain name is quite unknown, you should know immediately that the website is not genuine, but has copied the design of your bank’s website.

Browser Tools

 

The most basic information about the security of a website may be given by the browser itself. Depending on the browser you are using, you should be able to get security information about a website. On desktop, Google Chrome gives Internet security information as shown in this image:

 

In Firefox, warning looks like this:

 

The More Information button gives you details of the website.

Almost all of the browsers out there are also Internet security applications. They show warning messages if you are about to visit an insecure or Phishing website.

 

However, last year CSO of Australia reported that Google and Microsoft have poor URL blacklists. Due to this, you should be checking a URL on multiple services to see if it is really secure.

Checking the Website

 

If you need to find out the details of a website and see if it could be a threat to Internet security, you can use one of the several available testing services. Some of which are…

1. Zulu Risk Analyzer

 

This is a comprehensive URL analyzer that gives you the details of the website, its URL, content, and the external objects linked from the URL. Based on the checks, it lists whether the domain is benign or suspicious.

Link: Zulu Risk Analyzer

2. URL Void

 

This service has a URL blacklist which you can compare your URL against. Google Safe Browsing, Norton SafeWeb, and the tools given by a number of Internet security applications are available in URL Void to check the given URL.

Link: URL Void

3. VirusTotal

 

Google acquired VirusTotal in September this year, and it works pretty much like an online antivirus. The tool can analyze URLs and files and tell you if they are safe. With this service, you will be able to upload files of size up to 32 MB from your computer to analyze with VirusTotal. The reputation of a website can be found based on the number of votes it has.

Link: VirusTotal

Besides these, you can check your website on browser plugins such as Web of Trust (WOT). Also, at Google Safe Browsing diagnostic, you can check the website URL against the Google Safe Browsing database. Simply replace the domain name with the URL you want to check. Here is the URL of Safe Browsing diagnostic: http://www.google.com/safebrowsing/diagnostic?site=”put your URL here”.

Analyzing Shortened URLs

 

There are a few URL shortening services out there which have gained ground. Some of these are official as well: fb.me (Facebook), t.co (Twitter), goo.gl (Google), TinyURL, bit.ly, etc. There is no telling if an attacker has used one of these legitimate shortening tools to present you with a malicious URL.

Let’s imagine you come across a shortened URL. You have no idea whether the actual URL is secure or not, and it is unwise to put the short URL on your browser. In such cases, first thing you need to do is unshorten the URL. In order to do that, you should go to unshort.me. Unshort.me converts the short URL to the original URL which you can analyze further.

I have found that Goo.gl immediately disables a URL if it is an Internet security threat. Google crosschecks the blacklist database and disables the newly created short URL. Do not count on other services. I have found TinyURL, t.co, and bit.ly shortening malicious URLs without any compunction.

Reporting a Threat

 

Have you come across a possible threat to Internet security? If it is not already in the database of these threat detectors, you can report it to them. There are a number of authorities you can report a threat to. And most of them have provisions for that available in their website itself. Here are some of them:

1. Report to Google: Send spam report via Webmaster Tools
2. Report Phishing to Google Safe Browsing
3. Report Phishing to IRS, USA
4. Internet Watch Foundation, UK
5. Malware and spam report to URL blacklist
6. Submit to Internet Crime Complaint Center, IC3, formed by FBI and NW3C.

These are some of the options you can go for. Besides these, multiple antivirus and internet security companies have their own spam report forms which you can use.

Conclusion

 

These tools and techniques can ensure that you are browsing a completely secure website. However, while submitting any important information such as your credit card number or social security number, you should ensure further security. You should have a very good antivirus and antimalware program installed on your computer.

Be Smart on Facebook

jamesg Leave a comment

facebook logo
Facebook is the largest social network, and hence it is practically understood why people want to capitalize on its one billion users. Many of Facebook’s users are in the upper side of the economy and could be potential buyers of products and services. Hence, companies create Facebook pages and try to reach potential audience by asking people like you to comment and like these pages. This will make sense to you if you know the concept of viral marketing.

Viral marketing works just like how a virus spreads through your body—it is automatic and highly accelerated. In the same way, when you like a particular page on Facebook, you are actually recommending that page to all of your friends. They will be able to see this page on your profile page and timeline. Going further, if you have fifty friends in Facebook, the page you like reaches fifty people and by mere chance five out of those fifty may like the page. If each of these five people has fifty friends, the page will reach a wider audience of 250 people, out of which several more people may like the page. This spreads virally across Facebook’s network reaching a lot of people in a lot less time.

In reality, a well-constructed Facebook profile page could reach thousands of people in days and pile up ‘like’s and comments.

When you genuinely like a particular page, image, or a link, you should ‘like’ it in Facebook, and it will be propagated through your friends. It’s a good thing to do. On the other hand, I have noticed people simply going ahead and liking every page and image they find on Facebook. You should ask yourself if this is a good thing to do.

The Like Button

 

the like button

I am not going to explain what the ‘Like’ button does. It’s fairly understood by all by now. In fact there was a report (more like a speculation) in NYTimes that talks about the inner workings of the Like button.

In essence, the Like button can track your details and send it to Facebook, even if you don’t click on it. This is the reason why you see advertisements on Facebook to be highly relevant. If you are a movie buff and you visit several movie fan pages on Facebook, then Facebook will serve mostly movie-based ads on your sidebar. The data about how much you like movies is provided by the Like button of course.

Although Facebook has a privacy policy that clearly states no data will be tracked by the Like button, many experts do not trust this.

In reality, the Like button that advertisers and marketers use to promote their pages can gain a lot of visits and revenue if they can make a lot of people like their pages. Also, by speculation, this could be deemed as an attack toward your online privacy.

The same is the case with other Facebook engagement features, such as ‘Recommend’ button, ‘Send’ button, etc.

Your Online Profile & Reputation

 

Let’s imagine you liking every page you find out there and recommending it to your friends and coworkers. How much of your judgment should they trust after a while?

Imagine if you like every brand of a tech gadget out there. Do you think any of your friends will ever ask your opinion about a particular brand? In the same way, if you continue to like images that add no value to you or others, what kind of a message does that send to your contacts?

In your Facebook friends list, you may have your close friends as well as acquaintances (that may include your boss, senior workplace officials, etc.) Your friends may not misjudge you based on your likes and recommendations. What about your acquaintances? Do you want to make yourself stupid in front of these people?

One of the recent marketing gimmicks I found is thus: the marketer may simply post an image or a video with a comment like this “Type ***** and then press Like/Share button and see what happens to this video/image”. This sort of messages and shares go viral within days piling up thousands of likes and recommends.

Now, as a prolific Facebook user you probably know that nothing is going to happen to an image or a video if you share or like it. But still people continue to do this no matter what! This sort of marketing technique is simply dishonest, and it can make you look stupid to your friends.

What to Like?

 

When you find a page about a favorite movie star or film, there is nothing wrong in liking it. But hold. Before liking that particular page, why don’t you explore the page a little bit? The page about your favorite movie star has to be the genuine page created by the star himself or his officials. If you see something like ‘no official affiliation to the star’ then is there any reason for you to like that page?

Anybody can create a Facebook page about anything. It’s completely free and easy to set up, just like a website. It is hence your responsibility to monitor what you come across and understand the meaning behind it. In essence, be that intelligent person who can read between the lines, okay?

Conclusion

 

Facebook is a social network and kind of an important service today. Nearly one billion users make Facebook relevant to advertisers, media, companies, and individuals. It has also become a hub of spammers and people employing dishonest tactics to manipulate users. Staying away from such tactics require you to know about them and judge them intelligently.

A History of Tech Company Mistakes and Apologies!

jamesg Leave a comment

All the time, these companies out there, Apple, Google, Facebook, Microsoft, and what not, come up with miscalculated product innovations and in some cases plain gaffes, and in the end, they end up apologizing to their customers for their mistakes. Let’s look at a few of the famous apologies in this post. We are not targeting regular apologies due to natural product failures, but outright gaffes and arrogant wrongdoings that caused companies to apologize.

Apple iPhone, the Original & Its Price

 

In 2007, Apple released its groundbreaking product, the iPhone for the first time and they set its price at 600 dollars. It should be noted that Apple iPhone became one of the hottest selling products in history, thanks to Apple fans that run into billions. Within two months, Steve Jobs, the deceased former CEO of Apple, slashed the price of iPhone from 600 to 400.

The millions and millions who purchased iPhone for 600 dollars stood with gaping mouths and fingers up their brain. They felt cheated in plain daylight. Apple CEO did not apologize, but he wrote to those customers.

steve-jobs-about-iphone-1-638

Mark Zuckerberg (CEO, Facebook) on Beacon, Facebook’s Ad Tool

 

In 2007, Facebook came up with a novel idea. That of letting your friends know of what you purchased online through Facebook. This app, known as Beacon was tremendously criticized by hundreds of thousands of users. Beacon program would simply talk about your purchases with your friends without your knowledge, and there was no proper way to opt out of this. Facebook said they made the program ‘opt-out’ rather than ‘opt-in’ because they wanted to enable people to share what they forgot to (amusing, isn’t it?) Here’s Mark’s apology:

zuckerburg-about-beacon-1-638

Nokia Lumia 920 Demo Video Fiasco

 

Nokia released Lumia 920 smartphone with a new camera technology known as PureView only a few days ago. They demonstrated the camera with a video (supposedly taken with Lumia 920). But if you look at that commercial, you will see a van with a regular film camera mounted that has captured the entire video. Here’s the video slowed down to show exactly what is happening (thanks to the uploader, smartypunk):

It proved to be such a shame to Nokia and they put up an apology soon enough. Here is the text:

nokia-lumia-920-apology-1-638

Google & Jews

 

Our search giant once returned results that insulted Jews in great detail. The first result for search term ‘Jew’ in Google was ‘jewwatch.com’, an anti-Semitic website proclaiming that they keep a close watch on Jewish communities. Google apologized soon enough. Here it is:

google-apologizes-jews-1-638

Other controversies were there with Google, including “she invented” (Google it), about 600 GB of private Wi-Fi data being taken by StreetView cameras, etc.

Whole Foods

 

The Whole Foods Market CEO, John Mackey was a well-respected businessman of his time. He, however, managed to get a wrong idea into his head that would kill his good name. He went into Yahoo! Finance forums, and created a pseudonym, ‘Rahodeb’ and started praising his company and criticizing the competitors. He had to apologize of course (in two sentences though). We couldn’t find the apology from the website, so we fished it out from Archive.org.

The Apple Maps Fiasco

 

Apple came up with Maps to use with iPhone’s iOS 6. Apple Maps was full of mistakes that anybody could spot. And now Apple fired the guy who worked on Maps, and Tim Cook, CEO of Apple, apologized. You can read about the complete Apple Maps fiasco here.

Microsoft’s Perverts

 

In June this year, Microsoft was releasing its cloud hosting platform, Windows Azure, in Oslo, Norway. And in the party that ensued, ‘cloud rap’ lyrics included “The words ‘Micro’ and ‘soft’ don’t apply to my penis & vagina.” MS had to apologize in these words:
Azure team:

This week’s Norwegian Developer’s Conference included a skit that involved inappropriate and offensive elements and vulgar language. We apologize to our customers and our partners and are actively looking into the matter.

 

And MS corporate communications team chief Frank Shaw tweeted:

This routine had vulgar language, was inappropriate and was just not ok. We apologize to our customers and partners.

 

At another time, Microsoft’s code implementation of HyperV virtualization product (read about this and others in Microsoft History) for Linux contained the term ‘Big Boobs’ in coded format. It contained “0xB16B00B5” and “0x0B00B135”. Since Linux code is open source, anyone could spot it.

Apple’s Poor Apology

 

In July this year, Samsung had a court case with Apple regarding design patent infringement of Apple iPad by Samsung products. Apple lost this case and the judge ordered Apple to post an apology. And Apple did. Here’s their apology. Tell me if it reads like one!

apples-fake-apology-1-638
Not only did Apple apologize like a moron, but also it hid the Apology well in the website so that no one could easily spot it. As expected, the judge did not approve the given apology. And Apple had to come up with a better one. (They removed the original apology and it is no longer available in the website, which is why I have saved this PDF.) They managed to come up with this one, and the text is as follows:

apple's apology to samsung

 

Still, what a pathetic apology, won’t you agree?

[Updated: Feb 17, 2013]

Google Doodle for Asteroid

 

CNET picked up this story. In response to the happy news that an asteroid called DA14 sped past the earth at nearly 17,000 miles overhead without causing any damage to our ecosystem, Google posted the following doodle above its search box.

Google Asteroid doodle

 

However, hours later, a meteor struck down on Russia injuring hundreds of people. Google’s happy doodle immediately became a sadistic joke, and they removed it.

Conclusion

 

As you can see, the companies are not beyond errors. Some like Apple Maps are pretty funny mistakes indeed. When we see more of such gaffes, we will laugh out loud and will let you guys know here.

[Image: CNET]