Alert! Awesome Screenshot Users

Thursday, August 14th, 2014
100% Useful Infobytes

If you use the browser add-on Awesome Screenshots, you need to pay attention and uninstall it right away. At time of writing, it is leaking a lot of stuff – well basically every single website you’ve visited, private or otherwise. Admittedly, months ago, I had this very extension installed because sometimes, I’m too lazy to launch my screenshot program (Clarify & Skitch for different tasks). One day, while working on a plugin, I discovered a very interesting error. You see, when I develop plugins, I have all the error notices turned ON and I check for issues as it loads in the browser to make sure we’re using good, modern programming methods. So if an item doesn’t load properly, be it in my plugin or otherwise, I know it. As I was working, this one resource kept coming up with a 404 error. It was a URL to a page that I was 100% certain isn’t in my plugin. I had no other WordPress plugins installed and the theme was default so it had to be something else. I finally traced it to Awesome Screenshots. Each page I loaded, this page loaded too. What shocked me into uninstalling – it was some

Read More→

Comments (4)

14 Action Steps To Secure WordPress Now

Saturday, May 10th, 2014
14 Action Steps To Secure Your WordPress Site

I’ve written a lot about the steps to secure WordPress.  It is a bit of a wonder that I don’t have them listed in one place for you to refer to over and over. Well, I’m rectifying that right now. Here are so actions, with updated information you need to take immediately. Install iThemes Security Before proceeding, please know that… WordPress security isn’t a set once and forget thing. It’s a series of steps, and layers of processes. Now that is out of the way, there are many different plugins out there for security. I like and use iThemes Security extensively. Mostly because it has a checklist of things that covers a lot of the common issues that I used to handle by hand. Great as it is, sometimes, on some servers it just doesn’t want to work nicely. It could be an incompatibility with other plugins or with the way a web host has configured the server. In these instances, my fallback is Wordfence. While Wordfence does not do as much but it has one really important feature – to block suspicious logins and brute force logins. Both are free though there is a Pro version for iThemes Security.

Read More→

Comments (4)

What Is Heartbleed & What Should I Do About It?

Thursday, April 10th, 2014

The web has been alight with the heartbleed vulnerability. If you’ve only heard of it in passing, listen up. This one is a biggie. The bad news – it affects a lot of web servers. If you have a website, there’s a good chance the server could be vulnerable. If you’d like to check your own servers, you can go to Flippo.io/Heartbleed. Before going too deep, let’s understand it. What is Heartbleed? I’m no systems security expert and I may not do a great job explaining this. I’ll let someone a whole lot more qualified than me – Elastica’s CTO Dr. Zulfikar Ramzan -explain in the video below. Please do take time to view it. It isn’t all that long and it is that important. What You Can Do First, don’t panic. Depending on how swift your web host is on these issues – it may already have been taken care of for you. For the most part, if you’re on shared hosting. There’s nothing you can do to patch this. This is a patch that has to happen on a much higher level and as a shared host account holder, you simply don’t have the permission/access levels to do

Read More→

Comments (0)
Your Online Data is Not Isolated

Let’s start in November a few years ago. A  friend contacted me, obviously distressed. Her site had been hacked. I thought, no problem. We’ll get on it. It turned out to be not so routine. Eventually, we found out her website wasn’t hacked. Her domain was stolen. The new website was not hers. Not on her web hosting account. Someone stole her entire business from under her. Fast forward a couple of months. Another sobering story. Mat Honan, one of Wired’s senior writers had his Macbook, iPhone, iPad, Google Account completely wiped and his Twitter account hijacked. Then, I heard news of another friend’s domain getting hijacked. Then just this week, another major story. Naoki Hiroshima, creator of Cocoyon and developer for Echofan had his highly valued Twitter username extorted from him. What did the extortionist have on him? Oh… just all of his domains and PayPal account. Reading his story and the hacker’s responses sent chills up my spine. Since working with my client and learning about Mat Honan’s hacking, I’ve been careful. There’s still much to be done but definitely more careful. I worry a lot about what my husband puts out too. But that’s another story for another

Read More→

Send to real address

Have you ever come across people with email addresses that look like they were created exclusively for a website? Here’s what I mean. When creating an account at Pinterest, the email address that may be used to register is [email protected] or, when signing up to receive our free yearly blogging planner and calendar and the email address used is [email protected] In short, anytime they are asked to provide an email address, they enter any word, number, phrase or combination in the front of the @. Surely these people didn’t have so much time to create a separate email account for each of these addresses? On that note, you are absolutely correct. This is a simple technology known as wildcard email addresses, sometimes known as catch-all. Once you have it set up, you can create any address you desire on the fly and have it all routed to your real address. Why do this at all? Let’s count the reasons You want to sign up to try a new service but they do not allow free email addresses You want to receive information from someone but are new to the author or merchant You want to maintain email privacy and keep

Read More→

Checksum distributed

If you’ve ever had any kind of nasty-ware attach itself to your computer, you know how very annoying and potentially dangerous it can be for your privacy, and even your finances. Yet, despite all that, more and more software is being delivered via the Internet than before. Sometimes, the same software is available for download from a multitude of sites especially if they are open source. Thus, the big question is… How do you know the copy you downloaded and are about to install on your computer is an unaltered copy, free from additional nasty code? One thing’s for sure. We aren’t developers so we can’t just pop it open and be able to tell what’s in it. That’s where checksums come in. Check what? Simply put, a checksum – sometimes also called hash sum – is like a verification code. When you run a program or any file through a checksum calculator, it will spit out a length of code. When you distribute that file and tell people your checksum code, they can use that code to verify if the copy they received is indeed the exact same one as the one you sent and thus, safe to use

Read More→

Sanboxing

It has been over 2 years since I first wrote about sandboxing my browser and all Internet-facing programs but think it is high time to revisit it again because it is that important. Also because my friend Nicole Dean got duped into installing a bad program from deceptive advertising. Not cool. Anyhow, the original post also focused on how sandboxing saves you from infected websites when there’s lots more sandboxing can do. Before moving on, let me attempt once again to explain what sandboxing does. This time, I am going to use a graphic. I’m not the best graphic artist so pardon my drawing What Is A Sandbox Program? Working in a sandbox program is a lot like putting down a mat before you let kids start making crafts or laying down sheets before you start to paint a room. When you launch your browser, Skype, instant messenger, email client (Outlook, Thunderbird) or any program that connects to the Internet inside a sandbox, anything you download and install is contained inside the sandbox. So, if you run a program inside the sandbox and it contains a virus, your computer is not affected at all (pictured on right, top) This way, when a downloaded

Read More→

Stop broadcasting your username

After the highly publicized hacking of Wired reporter Mat Honan’s identity, it is clear to me that hackers don’t always go about things they way we think they do. When we hear “I’ve been hacked”, we immediately think someone has been trying to crack our passwords using software that tries all sorts of passwords in the dictionary or based on whatever complex algorithm. Or maybe we think they install something malicious on our computer to spy on us. Yet, Honan’s experience shows us that hackers don’t always need to do all that stuff. In fact, all they did was cleverly and logically work their way through various systems. They call it social engineering. Whatever the name, it’s not good. Keep Your Security Processes But Keep Your Eyes Open Don’t get me wrong. I’m not saying abandon your difficult to guess passwords that include caps, characters and numbers. Or don’t use tools to help you secure your personal accounts and business systems. Not at all. It would be foolish of you to. What I’m saying is, sometimes, sit back and take a moment to review if some loops need to be closed. How I Cracked A WordPress Admin Account Just this

Read More→

Time To Switch To 3rd Party Shopping Cart?

Wednesday, April 18th, 2012
Flip the switch

Photocredit:Yutaka Tsutano  There’s a really good chance, this won’t be a decision you have to make – good for you. Most marketers I know, sell their digital content via a third party system like 1ShoppingCart, eJunkie or Clickbank. If you ever wished you could drop that monthly payment, perhaps you might reconsider after reading this post. With that said, I’m writing this not to convince people to stay nor switch to a third party system, merely to pose the question to all – a question that we have perhaps never worried too much about until now. Why now? Because, in the last 6 months (and I predict going on into the future), we’ve seen more hacking and site breaches. These are beyond the normal defacing and uploading of malicious content. Those are bad enough but this is even more scary, ranging from domain hijacking to outright stealing of customer databases. These types of attacks, rob us of our brand, business, credibility and trust. Things that are much tougher to fix than cleaning up a site and getting it back on into the search engines. They also leave small businesses very vulnerable to law suits. Just one case could end our

Read More→

Warning

Hey all, I know some of you are on top of this regularly and already know it. At the same time, many don’t as well so here you go. If you are using Dean’s FCKEditor editor plugin, there are several versions of it. Make sure you’re not using the one with PWWANGS Code for WordPress. It has a vulnerability in it. Here are two places to learn more about it. Sucuri iThemes