Temple Run Multiplayer?

Accepting the invites will bring you to the “game” page, which has nothing but a Temple Run image, a play button, and a high score button. Clicking the Play button (or somewhere near the bottom) brings up a standard Facebook login window.

The only page of this fake spam application

Login to Temple Run Multiplayer

Logging in with Facebook would appear to do absolutely nothing, but the hidden script (in an iframe) would then proceed to randomly invite some of your friends.

At this time, this doesn’t appear to do anything dangerous besides spam and annoy your friends. Spam is quite common on Facebook and this one, like other useless spam apps, takes advantage by promising a feature to a popular application.

Have you received invites for Temple Run Multiplayer or something similar? Be sure to report the app to Facebook by clicking the link in the footer.

I just learned of Incapsula, a service similar to CloudFlare, which offers website protection against spammers and hackers as well as content acceleration. I’ve been running my personal site through Incapsula for the past few weeks.

Please note that this article is not a comparison between the two services.

Getting Started

Incapsula features multiple different plans, including a free plan, each with their own bandwidth limit. The first paid plan (Bronze) starts at $49 monthly and an additional $5 monthly per extra domain. All accounts start off with a 30 day free trial of the Gold membership.

Every subdomain appears to be counted as one domain, so each would be an extra $5/monthly on paid plans.

Unlike CloudFlare, Incapsula does not take over your domain’s DNS. Instead, you point your domain to Incapsula using a CNAME record and an A record.

To have the requests forwarded back to your own server, you need to add your domain’s real IP address to the Incapsula account settings. In most cases, this should be filled in for you already.

Incapsula Site IP Settings

Security Settings

Security is the main purpose of Incapsula. There are lots of bad guys out there, from hackers to comment spammers.

The free personal plan provides the following security features:

• Illegal Access Prevention
• Bad Bot Blocking
• SQL Injection Prevention
• Cross Site Scripting Protection
• Access Control by Country
• Security Rule Fine Tuning
• Access Control by Visitor Type

When a threat is detected, Incapsula can either observe and log this or block the request completely. In the paid plans, it can also take additional actions like flag the user or IP.

Incapsula Threat Rules

When a threat is detected, you can choose to have Incapsula send an email alert.

Incapsula Threat Notification via Email

You can choose to block visitors by geographical location if you see a lot of threats coming from one country, particularly if the country isn’t your target audience.

Incapsula Geographic Access Control

Incapsula can also block certain visitor types, like certain bots. Not all the applications on the provided list are malicious. For example, bots like Google are on here, but it’s a useful way to block certain crawlers you don’t want indexing your site.

Incapsula can block visitors by application

Whenever a visitor is blocked from accessing your site, they will see this page shown in the screenshot below. Unfortunately, there is no way for a visitor to bypass this page if its a false positive. In some ways, this could be good since there are many human spammers out there.

Incapsula Block Page

Performance

Also like CloudFlare, Incapsula caches your site’s static content and serves it via its globally distributed network in a CDN-like manner.

This means that rather than serving content from one single server, Incapsula has servers around the world and intelligently serves content using the server that is closest to the visitor’s geographical location.

Over the past month, it has reduced my site’s bandwidth usage by 30%.

The effects on performance is best observed with higher traffic websites.

Incapsula Average Page Speed Chart

Statistics

Incapsula also provides some statistics charts. These numbers seem higher than other services report, likely because all visitors are recorded, rather than just those with Javascript enabled.

There is also a list of recent visitors, along with their browser, OS, location, IP, referrer, search terms, pages hit, etc… I found this to be very useful because of the amount of data it provides.

Incapsula Visitor Log

From the log page, you can also add threat exceptions by URL, country, or IP address. There doesn’t appear to be a way to manually add custom exceptions though.

Incapsula Exceptions

Weekly reports are sent out via email with that week’s traffic statistics. This is extremely useful as I can find out what’s happening with my site without having to login to Incapsula.

Conclusions

Incapsula is a great service and I recommend you give it a try if you own a website.

I really like the weekly reports that are sent out with traffic stats so I can know what’s going on with my site without having to visit the Incapsula website.

I would love to see the ability to whitelist or blacklist specific IP addresses or IP ranges in the same way that geographical locations can be blocked. (Update: As of September 21, 2011, Incapsula supports blacklisting and whitelisting IP addresses in all plans.)

In addition, it would be useful for the block page to have a way for the visitor to bypass it or a method to contact the site owner to alert them of a false positive.

The free plan is sufficient for many sites, but those with higher traffic sites may run into problems with the bandwidth limit of 25 GB a month. I find the prices somewhat on the high end, particularly the Bronze plan ($49/month), which is the same as free except for double bandwidth (50 GB), SSL support, account delegation, and email support. A plan comparison is available here.

What are your thoughts about Incapsula? Both Incapsula and CloudFlare are great services and each have its own advantages. Which do you prefer? Or do you prefer a service I haven’t mentioned yet? Share with us in the comments.

They claim that they managed to expose the personal information of 1 million accounts, including usernames, emails, addresses, and passwords.

How did they do this? Through a simple SQL-injection, which is a simple basic method for exploiting a site’s security holes through improper handling of web URL queries, and the fact that Sony stored all data in plaintext. This means that no encryption was used whatsoever, not even for passwords, so it doesn’t matter how strong a password was.

Getting hacked through a simple SQL-injection is very embarrassing for a big corporation like Sony. As a well known company, users trust them to handle their information properly. Especially since they’ve already been hacked a few weeks ago, one would expect that they would immediately work to improve their security.

It is also worth noting that LulzSec had also successfully hacked parts of PBS.org, Fox.com, and Sonymusic.co.jp in the past few weeks.

LulzSec has uploaded a sample of the data they managed to take from the hack. They say that they couldn’t upload everything because it would take too long. Text files with thousands of usernames and passwords are available on their website as well as on torrents.

A screenshot of the list of releases LulzSec posted on their website, which at the time of writing is down, but Google Cache is available

I looked through a sample the group uploaded and indeed, there are emails and corresponding passwords of thousands of users here and in some files, even dates of birth and postal addresses.

The index file of the publicly uploaded sample from the Sony Pictures hack

As we all know, many users re-use the same passwords everywhere, so their other (possibly more important) accounts (like email) risk getting hacked as well. If you had an account on Sony Pictures (or any Sony website to be on the safe side), change your passwords (including any account using the same one) immediately. Unlike the previous Gawker hack, your password is in plaintext this time.

LulzSec doesn’t appear to have any evil intentions with this data beyond simply showing how terrible the security measures Sony uses are. I actually applaud the hackers for doing this and exposing Sony’s poor security to the world.

Hopefully, after these incidents, Sony will decide to at least encrypt their customer’s data.

What are your thoughts about this incident, particularly about how Sony handles security? Share with us in the comments.

It claimed to be the Skype Newsletter, however this particular email account isn’t linked to any Skype account.

An email claiming to be from Skype

Since I was curious, I clicked through the link and was presented with a website attempting to copy the Skype website but advertising a so-called VoIP add-on to Skype and at the same time, an upgrade to Skype.

The fake Skype website

What it really wanted however, was your credit card information.

The website asks for your credit card information after clicking on the Download button

Now if there was really a new version of Skype available, wouldn’t it just be a download?

Sadly, this email was not flagged as spam by Gmail. This may be due to the fact that the email was digitally signed by a website and the fact that the SPF records pass.

This email may not have been from @skype.com but remember that simply looking at the From: email address is not enough anymore as it is incredibly easy to spoof this address.

Only download software from the official publisher’s website or from well-known download directories (such as CNET Download.com).

Have you encountered a similar email recently? Have any tips on identifying spam messages? Share with us in the comments.

A Free iPad?

Sounds too good to be true? Then it probably is. But how did my friend end up posting this to my wall? They definitely couldn’t have posted it manually, because when I view their profile, this is what I see:

The list actually goes on for quite a while.

So how did my friend end up posting this link to everyone’s wall?

Malicious Script Scam

Click Enable Dislike Button and then a Dislike button will magically appear on your account!

A very common way Facebook pages spam your friends is through a malicious script scam, which promises something will happen by copying/pasting a line of script into the URL bar. Common messages include getting a Dislike button, seeing who views your profile, or proving that your account is active so Facebook won’t delete it.

Copy and paste this "perfectly harmless" looking external script and your account will get a Dislike button.

In the above screenshot, during that “1 minute of processing”, the script is spamming wall posts to all of your friends. The script is sneaky by using an external script URL so the amount the user copies doesn’t look like a lot. It’s also unbelievably easy to edit HTML to add a Dislike button to make fake proof.

If you’re curious about what the script actually contains, click here to view a screenshot of the full external script code from the above screenshot. See if you can read part of it and figure out what it does.

This script can do anything from sending messages to your friends to giving you a malware infection. The example above only spams your friends and doesn’t actually cause any malware infection, but that may change since its hosted by a third party.

Don’t believe any of these posts/pages because Facebook definitely does not delete inactive accounts, there’s absolutely no way to track your profile views, and there’s no such thing as an official dislike button.

And never copy/paste anything into your URL bar unless you know what you’re doing.

Bad Permissions

Another way is through giving permissions. They probably unknowingly allowed a malicious or spam application permission to post on friends’ walls. When giving permissions to any third party application, Facebook asks the user to explicitly give the app permission by pressing an Allow button, but most people end up pressing this button without reading what permissions they’re giving.

Some apps ask for permission to do everything, including post on walls and access your data at any time.

Pressing allow here could cause quite a lot of problems.

Be very careful with what permissions you’re giving to apps. If you accidentally clicked Allow, immediately head to Account > Privacy Settings and then at the bottom, click Edit Settings under Apps and Websites. Remove any application that seems suspicious.

Only allow apps from publishers you trust to access your data and always be alert of the permissions you’re allowing.

Facebook does a very good job with removing spam pages, spam apps, and blocking links, but there’s always some time before a new one comes up and it getting blocked.

And the most important rule with everything is… if it sounds too good to be true, it probably is.

Have you been a victim of these spam posts, whether being the account that’s spamming or the account being spammed? Have more tips on preventing such things from happening? Share your thoughts with us.

Most of us, myself included, are probably guilty of using the same passwords over and over and/or using very weak passwords.

If you have trouble remembering multiple passwords, I recommend trying out a secure password manager (not a built in browser one) like the previously reviewed LastPass.

This is an interesting infographic made by ZoneAlarm highlighting the top 20 most common passwords and simple tricks to keep your passwords secure.

Infographic Source: ZoneAlarm

So how about you? Are you guilty of using the same passwords over and over and/or using very weak passwords? Do you see your password on the list? (If so, be sure to change it as soon as possible.) Share your thoughts in the comments.

Adobe Reader is a very popular PDF reader that is heavily used because it is created by the same company that created PDF files. Whenever a site distributes a PDF file, there’s usually going to be some button that prompts you do download Adobe Reader if you are having trouble viewing the file.

The problem is that because of the product’s popularity, it is frequently the target for hackers. Here’s an interesting infographic I stumbled upon today on Twitter (via @able2extract) about the rapid increase in security exploits involving PDF files and Adobe. Click to view enlarged version.

Infographic Source: Investintech (Original)

Remember that Adobe Reader is hardly the only PDF reader out there. There are many alternatives that have far less security vulnerabilities (and not to mention less bloat) including Nitro Reader and SlimPDF.

What are your thoughts about this security situation involving Adobe products?

Over a month ago,  I started to notice something being loaded from quantserve.com on every single page while browsing TechAirlines. I never included any script from this domain name (Quantcast) so I immediately started to look into each script that was being loaded. Eventually, I figured out this was being called from the WordPress.com Stats script, which was the last place I expected it to find it in.

if(typeof _qoptions!="undefined"&&_qoptions!=null)for(var k in _qoptions)old_qoptions[k]=_qoptions.k;_qoptions={qacct:'p-18-mFEk4J448M',labels:'type.wporg'};document.write(unescape("%3Cscript src='"+document.location.protocol+"//edge.quantserve.com/quant.js' type='text/javascript'%3E%3C/script%3E"));if(typeof old_qoptions!="undefined"&&old_qoptions!=null)_qoptions=old_qoptions;

What is Quantcast?

A bit of background first. Quantcast is a website public statistics service designed for advertisers and marketers. It collects user information and provides it for targeted advertising. It’s also a company that’s on trial for restoring “zombie cookies” from deleted files.

Privacy Invasion Issues

The main problem with Quantcast is the numerous privacy concerns with the tracking. It sets multiple cookies. One on the domain the user is browsing and another one on quantserve.com, which is detected by most anti-malware products as a third-party tracking cookie. I simply do not have any use for TechAirlines being quantified and also do not want any third party cookies from being set here.

Being aware of the background of Quantcast, I’m not comfortable with the company tracking my sites’ visitors, but I never chose to add the script to my site, and yet its there.

When I noticed the script started to be injected by WordPress.com Stats, I immediately created a thread on the WordPress forums.

Matt Mullenweg (creator of WordPress) responded to my thread with:

We’re going to use this to provide some cool features around uniques and people counting.

New features are great, but what about “less is more”?

It seems I’m not alone in this opinion. Including this script is a privacy invasion, especially since there is absolute nothing on the plugin download page that mentions Quantcast or any third party service at all.

gazouteast wrote:

Matt – this is yet another intrusive and unwanted addition to WordPress – (this time via a WordPress maintained plugin) – was this SPYWARE injection discussed on trac BEFORE inclusion? If not, why not? It goes completely against the transparency requirements of the open source declaration. Why is there no mention of this footer script injection on the plugin page? What are you hoping to garner by hiding this addition?

WordPress.com Stats was the only third party Javascript stats service that used only one script and one pixel without setting any tracking cookies. Nothing evil. Not anymore unfortunately.

Page Speed Issues

If we put the privacy issues aside, there’s also a page speed issue that comes up with WordPress.com and Quantcast.

When running a page test, I noticed two extra requests made to quantserve.com.

http://edge.quantserve.com/quant.js

http://pixel.quantserve.com/pixel;r=765847485;fpan=1;fpa=P0-1974493427-1293686832625;ns=0;url=http%3A%2F%2Fwww.techairlines.com%2F;ref=;ce=1;je=1;sr=1024x768x32;enc=n;ogl=;dst=1;et=1293686832625;tzo=300;a=p-18-mFEk4J448M;labels=type.wporg

At the time of writing, the request for the tracking pixel shows a 204 No Content error, however at the time of posting the forum thread, the pixel request created a 302 Redirect to either a pixel on segment-pixel.invitemedia.com or cms.quantserve.com, meaning one additional request.

The Quantcast code means 2-3 additional DNS lookups to load one resource from each subdomain, which usually slows down the page significantly.

The WordPress.com Stats script is already slow through its use of document.write, and this sneaky Quantcast code makes it even worse. So much for “it’s one of the fastest stats system, hosted or not hosted, that you can use”.

Other Thoughts

I use this stats plugin on my websites because I love the simplicity of it and the fact it only uses one script and one pixel to record statistics. It was truly the fastest stats system.

Why isn’t Automattic being transparent about a third party tracker being used? This wasn’t present until a few months ago and there certainly hasn’t been any new features introduced.

I have absolutely no problem with Automattic knowing how many people visit my sites or the minor performance impact caused by the plugin, but in no way did I sign up to be tracked by Quantcast. The plugin also fails to even mention third party tracking at all and does not provide a way to opt-out.

Are you a WordPress blogger using the Stats plugin or a WordPress.com blogger? What are your thoughts about the sneaky Quantcast inclusion into the script? Share your thoughts with us in the comments or leave a reply in this forum thread.

Update 8/25/11: As of Version 1.8.2 of the plugin, although not very detailed at all, the plugin page and readme file do mention the use of the Quantcast script. If you don’t want to have the Quantcast script load, you can try using this plugin created by commenter Frank.

Only those with an inactive and older account (created before April 9, 2009) are impacted because these accounts use the older MD5 hashing algorithm. Current accounts use a stronger SHA-512 algorithm.

The full contents of the email is shown below:

Dear addons.mozilla.org user,

The purpose of this email is to notify you about a possible disclosure
of your information which occurred on December 17th. On this date, we
were informed by a 3rd party who discovered a file with individual user
records on a public portion of one of our servers. We immediately took
the file off the server and investigated all downloads. We have
identified all the downloads and with the exception of the 3rd party,
who reported this issue, the file has been download by only Mozilla
staff.  This file was placed on this server by mistake and was a partial
representation of the users database from addons.mozilla.org

The file included email addresses, first and last names, and an md5 hash
representation of your password. The reason we are disclosing this event
is because we have removed your existing password from the addons site
and are asking you to reset it by going back to the addons site and
clicking forgot password. We are also asking you to change your password
on other sites in which you use the same password. Since we have
effectively erased your password, you don’t need to do anything if you
do not want to use your account.  It is disabled until you perform the
password recovery.

We have identified the process which allowed this file to be posted
publicly and have taken steps to prevent this in the future. We are also
evaluating other processes to ensure your information is safe and secure.

Should you have any questions, please feel free to contact the
infrastructure security team directly at infrasec@mozilla.com. If you
are having issues resetting your account, please contact
amo-admins@mozilla.org.

We apologize for any inconvenience this has caused.

Chris Lyon
Director of Infrastructure Security

There is also a blog post about this on the Mozilla Security Blog.

Even though it is believed that the database did not fall into the wrong hands, as a security precaution, Mozilla has disabled the 44,000 impacted user accounts by removing the md5 password. In order to sign in again, these users must reset their password by clicking “Forgot password”.

Even though passwords are encrypted, weak passwords can easily be brute force cracked. Be sure to use different passwords for each site.

Do you own one of the older and inactive accounts impacted?

Many users try to hide their email address by using methods such as writing myemail at example.com or myemail[@]example.com but these methods have become so common that the bad guys have probably found a way around it already.

While posting your email address publicly is highly discouraged, if you really need to, here are some free tools that will help safeguard your email address while still allowing good visitors to find out your email.

reCAPTCHA Mailhide

We all know reCAPTCHA. It’s that squiggly text you see that many sites use for human verification. reCAPTCHA is different from regular CAPTCHAs in the way that it’s also helping to digitize books using OCR technology. reCAPTCHA is currently owned by the internet giant, Google.

reCAPTCHA also provides a free service called Mailhide and it does exactly what the name implies.

To start, enter your email address at the Mailhide page.

On the next page, there will be two snippets of code:

The first one is a direct link to the reCAPTCHA challenge users would have to complete to reveal your email address.

The second one is a HTML link to challenge. By default, this format shows the first three letters of your email address, followed by an ellipsis, followed by the domain name. By clicking the ellipsis, a reCAPTCHA challenge pop-up window will open and upon completing the challenge, your email address will be revealed.

An example of what the Mailhide challenge page looks like.

Below shows the email address myemail@example.com being protected:

myem…@example.com

If you successfully complete the challenge, the email address will be revealed.

CloudFlare

We previously covered CloudFlare, a free website security and CDN solution. CloudFlare also has a feature that hides email addresses in Javascript and is only shown to those with scripts enabled. The email address is encrypted in the source code.

Why does this work? Most bots don’t support Javascript so when they visit your site, in place of the email address would be [email protected].

If a regular visitor with scripts enabled, the email would be decrypted and displayed normally. Otherwise, it would show a link with [email protected] as the text. Clicking this would open up a CloudFlare page and work like reCAPTCHA Mailhide. CloudFlare even uses reCAPTCHA.

Of course, CloudFlare also comes with network level security so it may be able to stop the spam bots before they actually reach your site.

Display Email as an Image

Bots, including Google, typically can only read actual text. They are unable to read text inside images, therefore hiding your email address as an image is often an effective solution.

You can type the email address out and take a screenshot of it, add the text directly into an image with a graphics editor, or use tools such as Email2Image.

The above email address was created using Email2Image. Regular email harvesters and spam bots are unable to read the text inside the image.

Have another tip for hiding email addresses? Share with us in the comments.