Secure Hosting 
Archive for the ‘Security’ Category
Facebook, Dropbox Apps Store Personal Info…
Facebook, Dropbox Apps Store Personal Info In Unsecured Plain Text Files
A somewhat troubling security flaw has been found in the mobile apps for Facebook and Dropbox. It seems that both apps (and others, presumably) store access tokens in an unsecured plain text .plist file that can be easily accessed with certain free file management tools. Also, the flaw is found in both the iOS and Android versions of Facebook, though Dropbox’s Android version stores the file more securely.
The problem was first discovered by Gareth Wright, who was exploring the practice of modifying .plist files as a means of cheating on certain iOS games. When digging through OMGPOP’s popular Draw Something app, Wright found an access token for Facebook stored in plain text within the app.
This led him to begin poking around the Facebook app itself, where he discovered that the app stored an oAuth key in plain text as well, completely unencrypted. This key allowed complete access to Wright’s Facebook account when he transferred it to a friend’s phone. When Wright contacted Facebook about the problem they replied that they were aware of it and working on a fix.
Following up on Wright’s work, The Next Web managed to get a fuller statement out of Facebook. They claim that the exploit only works if a user’s phone is jailbroken. This, however, is false, as the tool Wright was using, iExplorer, works perfectly well on non-jailbroken devices. Moreover, Wright says that it also works on passcode protected devices.
The Next Web was also able to duplicate Wright’s work with the Dropbox iOS app. Using iExplorer, they copied a plain text .plist file from one device to another, and used it to gain access to the first user’s Dropbox account on the second phone. When asked for comment, Dropbox told them that it was aware of the issue and was currently preparing an iOS update that would fix the problem.
Now, before you get too freaked out about this flaw, it’s worth noting one important fact: tools like iExplorer have to be physically connected to your device in order to gain access. That means that for someone to access these plain text files on your phone, they have to actually have possession of it. Which means that only someone to whom you give your phone, or who finds it when you lose it, or who steals it could possibly be able to use this exploit to get at your personal data. That means that while this is a pretty serious oversight, it’s not much of a direct threat to the average user, as long as they retain physical control of their device.
Posted under Facebook, Security | No Comments
Google Code Jam 2012 Now Accepting Challengers
Last year’s winner helped cure Goro’s anger
By Zach Walton
Code Jams are kind of like the Olympics for developers and programmers. It’s a grueling days long competition to see who can solve the most challenging algorithms that the organizer of the event can throw at them. If that sounds like your kind of thing, Google wants to you to compete in their event.
Google announced yesterday on their blog that Code Jam 2012 registration is now open. Google’s Code Jam has been going on since 2003 with this year’s contest looking to be the biggest.
Makoto Soejima took home the first place prize last year. He had to get through various challenges and hardships such as building a house for kittens and helping Goro of Mortal Kombat fame through anger management. You may be wondering what any of these have to do with coding? Just check out the problem from the aforementioned Goro scenario and watch as your brain shuts down over what it just processed.
Participants for the Code Jam will come from all over the world to prove their merit against the sure to be daunting challenges. Thankfully, participants can use whatever programming language they’re most familiar with to tackle the algorithms.
The qualification rounds will take place on April 13, so you just have a little under a month to get ready. Those who pass this round will compete in three more online rounds over the next few months. The top 25 contestants will be flown to New York City on July 25 to compete in the final round that will net the winner $10,000.
While I’m in no way confident in my ability to solve these problems, let alone basic algorithms, you can register to compete in the Code Jam now. If you’re a little rusty, the Google blog post provides competitors with the four final problems from last year.
About Zach Walton
Zach Walton is a Writer for WebProNews. He specializes in gaming and technology. Google+
Posted under Google, Maui Developer, Security | No Comments
Consumer Privacy ‘Bill of Rights’
Consumer Privacy ‘Bill of Rights’ Seeks To Give Web Users More Control Over Their Data
The Obama administration on Thursday will unveil a consumer privacy “bill of rights” that aims to give web users more control over how their personal information is collected and used online.
The “bill of rights” will include seven principles to protect consumers’ digital privacy, such as the right to opt out of having their personal data collected and the right to having easily understandable policies on company’s privacy practices, Obama administration officials said on a conference call with reporters Wednesday.
The principles will include creating a setting on web browsers that allows Internet users to opt out of having their browsing habits monitored. The advertising industry also committed to not releasing consumers’ browsing data to companies that use it for purposes beyond advertising, such as employers making hiring decisions or insurers determining coverage, officials said.
“It’s great to see that companies are stepping up to our challenge to protect privacy so consumers have greater choice and control over how they are tracked online,” Federal Trade Commission Chairman Jon Leibowitz said in a statement. “More needs to be done, but the work they have done so far is very encouraging.”
In coming weeks, the Commerce Department will bring together companies, privacy advocates and other stakeholders to develop privacy policies based on principles outlined in the bill of rights, officials said. Though companies are not required to follow the principles, about 90 percent of companies involved in targeted online advertising have agreed to comply, Stu Ingis, general counsel for the Digital Advertising Alliance, a group of digital advertising trade organizations, told reporters on the conference call. Those companies could be subject to FTC enforcement for not adhering to the principles, officials said.
Officials said the bill of rights will serve as a blueprint for legislation in Congress to protect consumers’ online privacy. Last year, at least two bills were introduced in support of a “Do Not Track” mechanism that would give web users control over online tracking, but did not pass.
Thursday’s announcement comes as a growing number of privacy failings by tech companies have fueled concerns that consumers do not have control over how their personal information is being collected and shared.
In the last few weeks, Google was caught bypassing privacy settings on Apple’s Safari browser to track the browsing habits of Internet users. Google disabled the code after being contacted by the Wall Street Journal, which first reported the story last week.
In addition, the mobile social network Path was found downloading users’ address books without their permission.
“Silicon Valley has a privacy problem,” said Jonathan Mayer, a graduate student at Stanford University who discovered Google was using a special computer code to monitor Safari web users. “It’s very clear that companies have repeatedly fallen short in taking measures to protect users’ information.”
“For the moment, the M.O. in Silicon Valley is ‘do as much as you can until somebody slaps your hand,’” Mayer said.
The FTC, which regulates the use of consumers’ data online, has become more aggressive in protecting that data. Last March, Google settled charges from the FTC that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. Last November, Facebook agreed to settle FTC charges that it deceived consumers by telling them they could keep their information private on the social network, and then repeatedly allowed it to be shared and made public.
Google set off more privacy concerns last month when it announced in a blog post that it will revise its own privacy policies to track users across all of its products. This prompted consumer groups to file complaints with the FTC, arguing that Google was violating the commission’s order as part of last year’s settlement.
“The FTC takes compliance with our consent orders very seriously and always looks carefully at any evidence that they are being violated,” an agency spokeswoman said in response to the complaints.
Web companies are required to issue statements to consumers about their privacy policies. But most privacy statements are so dense that consumers don’t read them and there are no clear guidelines about what those privacy statements should say, said Ashkan Soltani, a noted privacy researcher. Many do not fully explain how companies use consumers’ data, he said. It has often taken the work of independent researchers like Soltani, Mayer and others to shed light on how these companies are collecting, storing and distributing user information.
Soltani said that web companies are generating revenue by collecting user data and selling access to that information for third-party advertising. The public is mostly unaware of these practices, however, and web companies are getting into trouble because they are not asking users for permission, he said.
“They haven’t used good manners,” Soltani said. “They’ve decided to take it without asking.”
Posted under Google, Security, Social Networking | No Comments
Al Gore Comes Out Against SOPA
by Alex Fitzpatrick via Mashable
Former Vice President (and Apple board member) Al Gore has some strong words against the Stop Online Piracy Act (SOPA).
The bill “would very probably have the effect of really shutting down the vibrancy of the Internet,” Gore said at a CareerBuilder event Thursday night.
SOPA, if passed, would give the U.S. federal government a wide array of powers for disabling a website it found to be in violation of copyright law. Many Internet users and tech companies, including Yahoo, Google and eBay, consider the bill dangerous to the structure of the Internet as we know it.
Gore certainly, if belatedly, agrees. “In our world today there is hardly anything more important than to save and protect the vibrancy and freedom of the Internet,” he said.
Video of Gore’s statement was available on YouTube Friday morning. However, the amateur footage, seemingly recorded on a mobile phone or other personal device, has since been removed. Neither the original uploader of the video nor CareerBuilder were available for comment.
Gore holds a special place in Internet lore. While running for president in 2000, the Democratic nominee told CNN’s Wolf Blitzer that he “took the initiative in helping to create the Internet.” That statement spawned a myth which persists today — that Gore claims he invented the Internet. The truth, and Gore’s claim, is more subtle. (Snopes.com has a full breakdown of the Gore myth here.)
Gore certainly had a hand in nurturing the Internet’s growth while serving in Congress; he introduced the “High Performance Computing and Communication Act of 1991″ (HPCA). Better known as the “Gore Bill,” the law provided for a massive improvement on existing digital communications infrastructure.
So, while Gore didn’t “invent” the Internet, he clearly knows a thing or two about it. And he’s very worried that SOPA could destroy the thing which he worked to help bring about.
“Anything that would threaten the vibrancy and freedom of the Internet and the future, I’m against,” said Gore.
Posted under Security, Web Development | No Comments
How to Protect Your Domain Name from Cybersquatting
By Carolyn M. Brown
Watch your back has taken on an entirely new meaning in cyberspace. It is easy for someone to steal business away from you or to ruin your reputation by misrepresenting a domain name associated with your business. With the cost of registration and basic web hosting being fairly cheap, anyone can set up shop using a variation of your domain name or company name. Most registration services are automated and as long as the exact name is not already recorded almost any domain name gets approved. There’s generally not any kind of ownership check or trademark research involved, leaving room for cybersquatters to infringe on your good name.
The traditional definition of cybersquatting is the practice of registering names, especially well-known company or brand names, as Internet domains, in the hope of selling them for a profit. But the term is more commonly used when referring to bad faith domain registration. The more widespread misuse today is registering a slight variation of a popular site to reap the benefits off added traffic from customers who mistype the URL. It is not unheard of for a competitor to register a close variation of your domain name for the sole purpose of diverting your customers into visiting their site.
“People search the web all different kinds of ways,” says Jeremiah Johnston, president of the Internet Commerce Association. “Some will go to the address bar in their browser and type cars.com because they assume that site will have information about cars. A lot of those generic domain names have natural traffic.” Johnston says that these sites get hundreds of thousands of unique visitors, making them very valuable since that traffic can be sold to advertisers. The illegitimate business use lies in someone who goes out and gets a slight misspelling of Coca-Cola, for example, and then routes that traffic to a page where they are selling Pepsi products. “That is the new threat in cybersquatting—trying to divert traffic away from another site,” he adds.
Johnston says this also is part of the reality of doing business on the web. If you chose weak descriptive keyword oriented names for your business or trademark, it’s easy for others to do the same. “If I registered a domain name steeringwheels.com, I wouldn’t have much of a case to stop another company who created a website steeringwheel.com,” he explains. Olympic.com, for instance, is owned by Olympic Paint in Pittsburgh and not the famous international athletic competition (their site is Olympic.org).
Many business owners fail to realize that cybersquatting is a civil matter and not a criminal matter. You can protect yourself and your good name. But safeguarding your presence on the Internet requires ongoing vigilance. Here are some steps to take toward ensuring that your domain is not easily undermined or stolen by unscrupulous characters.
1. Have a registered trademark.
That is the first protective strategy which is to register your trademark with the United States Patent and Trademark Office, says San Francisco attorney Richard W. Stim, who is the co-author of Trademark: Legal Care for Your Business & Product Name. “There are two ways you can have a trademark: it can be registered or unregistered. Having it listed in the government registry is the right way to go,” he says. There are hundreds of millions of domain names that are being registered and renewed every year. The number of legitimate trademark claims that comes out of those registrations is a tiny percentage.
2. Record the proper domain ownership.
The domain information that is registered is the ownership information. So, if you are allowing a member of your IT team to register in his or her name it might make it easier for them to administrate it, says Johnston. “But if that employee leaves, especially on bad terms, that makes it harder for you to claim ownership, because it is technically under the name and control of someone else.” Just the same, if you hired someone to design your website, your domain name could very likely be registered under that person’s name. Make sure it is registered in the name of senior management or the company itself. Have at least two names on the registration so that when there are changes both parties are notified. Also, don’t let your domain expire right under your nose. Domain registrars are for-profit companies; they are basically record keepers, says Johnston. “So, when a domain name expires from a customer they will keep it for themselves if they think that it is valuable.” You may be forced to buyback your own name.
3. Buy up variations of your domain name.
Johnston suggests business owners have a portfolio of domain names. The easiest and cheapest way to protect your company is to register common variations of your domain before someone else does so and before any damage is done. “You may want to spend that extra $7 a year to register variations of your name. The only reason a third-party would go out and register those domain names was if they thought that there was valuable traffic out there,” he says. “That means if a mistype of your name is valuable to someone else you need to get it first.”
If your domain is made of more than one word, consider registering it with hyphens; for example, race-horsing.com and racehorsing.com. Consider also registering the singular and plural versions of your domain, such as product.com and products.com. Typosquatting is a form of cybersquatting; so, be sure to register any known common mistypes or misspellings of your domain name; for example, lawcounsel.com and lawcouncil.com. You also are going to want to register your acronym, like the NBA.com, if that’s how people refer to your business.
4. Get more than one extension.
In addition to registering common mistypes, consider registering all of the common versions of your domain, such as .com, .net, and .biz. You might also consider registering .org and .info. If you are doing business outside of the country you will definitely want country extensions, such as .uk, says Stim. But don’t get too distracted by all of these extensions. If you are not a nonprofit organization you shouldn’t get an .org, for instance.
Dig Deeper: How to Protect Your Trademark From Infringement
5. Head off the haters.
A common practice is to take a domain or company name and add “sucks” to it, such as Nikesucks.com. Angry former employees, dissatisfied customers, or anyone with a personal grudge may use a “sucks” site to bad mouth your company and your products or services. Legal cases have stated that this is not trademark infringement, says Stim. It is considered free speech. Consider buying your companynamesucks.com site. You don’t have to use it, just keep someone else from having it. On the other hand, if someone uses a thiscompanysucks.com site to push products, competing goods, or advertisements, then they are no longer exercising their “free” speech, says Stim. There is a case for the domain and that site to be taken down the minute it becomes commercial.
6. Fight back through arbitration.
You can, of course, sue if cybersquatters go too far and infringe on your trademark or libel your company. But domain-related lawsuits can cost dearly—at least $5,000 to get started. Victims of cybersquatting in the United States have two options: one is to sue under the provisions of the Anticybersquatting Consumer Protection Act (ACPA) and two is to use an international arbitration system known as the Uniform Dispute Resolution Process (UDRP) administered by the Internet Corporation of Assigned Names and Numbers (ICANN). In order to stop a cybersquatter, you must prove the domain name registrant had bad-faith intent to profit from your distinctive name or trademark and that the domain name is identical or confusingly similar to your name or trademark.
Arbitration is a lot cheaper. It costs around $1,200-$1,500 to file a complaint and this procedure does not require an attorney. Arbitration may be unpredictable; “so, some people feel more comfortable waving a bigger stick by filing a lawsuit,” says Stim. Also, arbitration can take six months to a year to resolve to get the domain name transferred back to you, he adds, whereas with a lawsuit the court may get an injunction within six weeks to stop the other party from using the domain name. Stim says sometimes it is cheaper to buy the name back than to go to court. In a situation where someone owns the domain name you want; they will set a sell price that is cheaper than arbitration or court costs, say for example $600 versus $1,200.
Dig Deeper: How to Choose the Best Name For Your Business
7. Think like a consumer.
Don’t look at the web like “I navigate it this way so everyone else must.” Take a step back, Johnston says. “What we see most often is that a lot of businesses have a closed view about what domains are and how they can function as part of their overall web strategy? So, they go out and get a domain name based on the company’s name. But that might not be how people are searching for them,” he explains. “When people are searching for you, they are going to go to the browser and type whatever you sell and add a .com at the end of it.”
Johnston points out that sometimes the most valuable domain names are the ones that you don’t have an exclusive right to. For example, Calvin Klein owns underwear.com. “That domain is more valuable to them than calvinklein.com. It generates significant new business for them just from all the people who type underwear in their browser,” he says. “They have a legal right to protect calvinklein.com but they have no legal right to protect underwear.com.”
Your domain name is an investment in more than just your company’s website. The best defense is to be proactive and to have a robust domain strategy. “If you take a passive approach, everything is going to get bought up and once that happens,” Johnston says, “you will have to take a litigious route and that’s only if you have the right to do so.”
Posted under Security | No Comments
Hosting
Starting at $9.99!
Partners
