Another common “feature” of search engine toolbars is to report home about each web page that you visit. Even though you can in most cases turn off this feature, the toolbar offers some compelling extra benefit so that most users keep it enabled. (Or they are just unaware of the “call home” feature.)

If we for the moment disregard the privacy aspects of reporting every web page that you visit, there is another implication that most web site owners are not aware of: The web pages reported by toolbars are fed into the search engine’s web crawler. (I don’t have prof that this is the case for all toolbars, but I know it’s true in at least one case. And that’s enough to cause trouble for web masters.)

What’s the problem with that, you say? One example could be that you’re working on a new web site that is not quite ready to be public yet. And you haven’t bothered to password protect it during the development. Who is going to guess your new domain name anyway? As you’re busy developing your site, the toolbar sends the URL of every page - finished or not - to the search engine.

Another, perhaps more serious, example is the thank you page of web sites that sell digital products. When you - or anyone of your customers - goes to the thank you page, the toolbar reports the URL to the search engine. If you don’t have any additional protection on the thank you page it will be included in the search engine index. Then when a potential customer uses that search engine it’s possible that your thank you page shows up in the search results. And it’s very likely that the person searching was looking to buy your product. But now, with direct access to the thank you page the potential customer can download it for free. You just lost a sale.

If you have good web analytics it may be possible to see these direct accesses and calculate how much money you’re loosing. But it’s also very likely that the search engine has cached your page, and possibly even the product download itself. In that case you will never even know that your product was downloaded without payment.

My Digital Security Report has advice on how to protect your digital products from overzealous search engine toolbars.

Share This

This is not a major security hole and you are not alone in exposing your plugins. Google has indexed over 500,000 plugin directory listing pages.

It appears that this will be fixed in the 2.3 release of WordPress.

Share This

Using a simple text file called robots.txt you can instruct web crawlers (a.k.a. robots) to stay out of certain directories. Here is a very simple robots.txt which disallows all robots (User-agents) access to the /images directory.

User-agent: *
Disallow: /images


By disallowing /images you are also implicitly disallowing all subdirectories under /images, such as /images/logos and any files beginning with /images such as /images.html.

Curiously there was no “Allow” directive in the first draft of the standard. It was added later, but it’s not guaranteed to be supported by all robots. So anything that is not specifically disallowed should be considered fair game for web crawlers.

To disallow access to your entire web site use a robots.txt like this:

User-agent: *
Disallow: /


If User-agent is * then the following lines apply to all search engine robots. By specifying the signature of a web crawler as the User-agent you can give specific instructions to that robot.

User-agent: Googlebot
Disallow: /google-secrets


Since the original spec was published several search engines have extended the protocol. One popular extension is to allow wildcards.

User-agent: Slurp
Disallow: /*.gif$


This prevents Yahoo! (whose web crawler is called Slurp) from indexing any files on your site that end with “.gif”. Keep in mind that wildcard matches are not supported by all search engines so you have to preface these lines with the appropriate User-agent line.

You can combine several of the above techniques in one robots.txt file. Here’s a theoretical example.

User-agent: *
Disallow: /bar

User-agent: Googlebot
Allow: /foo
Disallow: /bar
Disallow: /*.gif$
Disallow: /


This would result in the following access results for a few URLs:

Computer programs are pretty good at following instructions like these. But for a human brain it can quickly get overwhelming, so I highly encourage you to keep it simple. One of the longer robots.txt files I’ve encountered is from www.seobook.com - it’s over 300 lines long. The site owner Aaron Wall is the author of the excellent SEO Book; he knows what he’s doing.

For us mortals there is a robots.txt analysis tool in Google’s webmaster tools (http://google.com/webmasters/sitemaps/siteoverview). Highly recommended. Another good resource for more information on the Robots Exclusion Standard is www.robotstxt.org

Today when companies are spending a lot of money to be included in search engine listings, the idea of excluding your content may seem quaint. But from a security perspective there are many valid reasons for limiting what a search engine indexes on your site. See my Digital Security Report for more information.

Share This

The discovered bug is a Cross-Site Scripting vulnerability. See http://trac.wordpress.org/ticket/4689 for more details.

The WordPress developers assigned this bug a priority of “highest omg bbq”

Share This

A typical setup is that you have one or more sales pages for your product and when a prospect clicks on an order link they are redirected to PayPal, 2CheckOut or some other payment processing service. This setup is good for several reasons, the most important being the fact that you avoid having to deal with credit card numbers and other sensitive customer information. So far in 2007 there have been published reports of more than 89 million identity records exposed from data breaches. See the Identity Theft Resource Center for some really scary reading. Leaving data theft worries to companies who specialize in handling financial information is a great strategy for most small businesses.

But that does not leave you totally in the clear. If you are selling a digital product that the customer can download immediately after the purchase, you need to ensure that the product is protected. There are many ways that web site owners inadvertently leave their valuable products unprotected – making them available for free to anyone who knows where to look.

Here are the 3 most common errors:

1. Easy to guess filenames.

If the title of your e-book is “AdWords Secrets”, then don’t name the file AdWordsSecrets.pdf. It is just too easy to guess that the URL for downloading your e-book might be www.example.com/AdWordsSecrets.pdf

At least add a version number or a date into the filename, e.g. AdWordsSecrets_v42.pdf or AdWordsSecrets_20070707.pdf. This will make it much more difficult to guess the filename and the URL.

2. Search engines indexing the download page or the product itself.

Today’s search engines are extremely efficient in spidering content on the web and keeping your web pages secret from search engines is becoming increasingly difficult. Even if you don’t have any public links to your secret product download page there are several ways that a search engine can find out about the page and index it. Once it’s indexed anyone who uses that search engine may see your product download page in the search results, and they can download your product for free.

You should regularly check what each search engine knows about your web site. In most major search engines you can use the site: operator, e.g. site:example.com, to get a listing of all the pages on your web site that have been indexed.

3. Improperly configured robots.txt

robots.txt is a text file that you can place on your web server to guide search engines to what content they are allowed to index and what is off limits. While this may prevent most search engines from indexing your secret web pages, it opens up another vulnerability: any curious web surfer is able to view your robots.txt file. If the file explicitly forbids search engines from looking in the /downloads or /report directories, then it’s very likely that’s where the secret files are stored. With this knowledge the web surfer can more easily find your product and download it for free.

You need to strike the right balance between protecting certain files and directories in robots.txt while not revealing too much about the structure of your web site.

Selling digital products online is a great business. Make sure that you get paid for the products that you have painstakingly created by following the guidelines above and applying common sense.

More details on how to protect your digital products can be found in my latest report: The Digital Security Report.

Share This

Many years ago in the days of 8086 computers there was a little program called drain. You usually ran it from a floppy disc and the prompt on the computer looked normal and then whatever the person tried to do on the computer next the program displayed a warning message that water had been located in the hard drive. The system would now attempt to remove the water. A message was displayed that “the spin dry cycle was started” and it sounded as though a spin dryer was starting and water was gurgling out of the machine. The program completed with the message that “the spin dry cycle was complete”. Mostly this was harmless fun where one person would play a prank on a colleague, friend or a family member. It could cause considerable concern to the person who was suddenly faced with water in their hard drive. I would not recommend this prank being played on someone who had a bad heart. Pranks like this are still perpetrated but the virus in these days is more deadly, and it damages or destroys data or even the computer operating system.

Computer virus detection is big business and has to operate 24 hours a day 7 days a week. Special dates like Friday 13th or 07/07/07 are obvious targets for the virus writers to aim at. You never know when a virus may hit and disable your computer network. I remember turning up for work at an office and every 5 minutes there was a warning broadcast on the public address that no-one was to turn on their computers as the network servers had been attacked by a virus and they did not want any other computers infected before they received the patch. This was a company where every e-mail was scanned by the ISP prior to being allowed onto the local system and then scanned again both at the e-mail server and by your own computer. Always take the time to regularly update your anti-virus software and any anti-spam, adware, spyware, or malware defenses. It is worth paying to allow another year’s updates of anti-virus etc. If it is too expensive then consider the options and give up a meal or two in a restaurant and eat at home

A Trojan horse is what appears to be a harmless or even a helpful program that is in fact harmful and may be deadly. This may be a virus or spyware installation. When you are offered a free program ask if you are 110% certain that the person or web site offering the product has no malicious or financial motive for harming you or your computer. The only way you can be certain is if the program comes from a trusted friend or a well trust web site such as an anti-virus web site. Otherwise do not download.

Put in place a Firewall that can prevent a person or program from accessing your computer. These firewalls can be hardware or software based. Recently I have been researching a wireless’ router for my home network and I noticed that a large number of the routers had a firewall built in to protect from unauthorized access. Also within windows there is a Firewall program and also in a number of the other all-in-one virus and Internet suites such as Norton Internet security or Kaspersky. Put as much in as you can now and then research how effective the computer magazines think this is so you can decide if there is something else on the market that is better.

To run a computer without anti-virus software in these days is like playing Russian roulette. Very quickly you will find your computer gets very badly infected. If you do not believe me then some of the large anti-virus companies offer a facility to check your computer online. Look at Symantec’s web site. I should imagine that McAfee, Kaspersky and others have a similar offer. If you have a computer that is on the Internet and not protected by an anti-virus system then try out one or more of these free offers to see what the state of your computer’s infection is.

Shop around and find yourself some affordable protection. You may need to look on the web, and find out local prices and those on the Internet. If you have any sort of affiliate program running on the web then you may want to look at becoming an affiliate especially if you can save on buying the anti-virus for yourself. Today the anti-virus software can be downloaded from the net but make sure you are on the exact site you want.

Share This

There are many different program names that can be installed on your system by unscrupulous people. They all come under the general name of keyloggers as they will create a log of the keystrokes you make including web site names and access passwords. As it is in the form of separate keystrokes then it needs to be put together by a program to get unscrambled information that can be analyzed. This can then be used to target advertising to you and your preferences when you access the web site.

Intrusion detection systems are becoming more and more important. You do not know what someone else or an intrusive program is going to do so to stop it when it begins to intrude into your computer. Stop the intrusion before you lose your information.

Open source and commercial intrusion detection systems. It sounds very posh but it is all very simple. In order for your computer to be infected by adware, spyware or malware there must be some sort of intrusion of some software from outside your computer into your computer’s system. So in order to detect and prevent problems with adware, spyware or malware the prevention of their intrusions is the best place to start. The software then is called an intrusion detection system. There are commercial versions of these systems from people like Symantec, Kaspersky and McAfee and also there are Open source versions of this software. Open Source can be acquired for free but the whole idea of Open Source is to contribute to the continuing development of the product either by giving some money when you get it, or by contributing to the user group or by writing some new parts of the software when needed. I am not making any recommendations of the best Commercial or Open source software to purchase as the situation could change in the next few days and either a new company comes into the market that is the best or one of the established companies gets it wrong and a large number of people become infected. Beware of any company boasting about their ability to completely eradicate adware, spyware and malware as there are always new problems coming to light. Beware of taking any free software at face value as there are some unscrupulous people who say they are giving away an intrusion detection system and all they are giving you are copies of spyware and malware programs to infect your system. So read computer magazines and reviews on the web, and ask not only your friends but also your business contacts to see what they are using. If you are working for a company, what do they use, and can the same software be installed on your home computer at no extra cost in order to prevent cross infection when you take work home. It is always worth asking and even if they say no there may be someone in your IT department who can recommend an Open Source, free or low-cost software.

In order to minimize the intrusions into your computer it may be necessary to surf anonymously. This is even more important when your company or country blocks certain web sites that you want or need to have access to. A company may block access to MySpace and other gaming sites so that employees work when they are supposed to, but that may not be very helpful when someone is working out of hours and is waiting for results of tests, so a proxy server may be the answer. Also within some countries there may be attempts by the government to block access to certain sites. The countries with the most extensive list of blocked sites are Iran and China.

Share This

Spyware can perform many functions. One single spyware program or script on your computer can install some other spyware onto your computer so instead of having one spy looking at your computer there can be many. Each program and script will have the effect of slowing down your computer. Spyware can also mutate so that the simple program that comes into your system first will become a more complex second generation program which is harder to remove and will collect more information from your computer. Spyware and adware can both deliver annoying advertisements so when you want to do a task you are slowed down and unable to do what you want to do quickly. Spyware will also search through your hard disc. The spyware will search all your cookies to see what websites you have accessed; it will snoop to see what applications are on your system and scan all the files located on your hard disc. Spyware will snoop on you by reading your keystrokes to find out exactly what you are doing, so confidential information can be read and known. This information could be company confidential, trade secrets, or government classified, it could also be detailed information on a takeover or other secret information. Anything that is keyed into a computer or is stored on the hard disc can become public knowledge. Your credit card and national insurance numbers are spied upon together with passwords and your other personal information. Spyware can change the home page on your web browser, sometimes to a page that would be embarrassing for your partner to see and for you to explain. Spyware will add advertising links to your web pages that you are not paid for but the spyware owner is paid for. Spyware will never allow the computer user any uninstall option and often places itself in unexpected places making it difficult to remove.

Share This

Avoid releasing your own e-mail address out on the net. If you have a web site or advertise online use a generic e-mail address like “sales@account.com” rather than one specifically aimed at you. The other option is to set the link so that it is checked before allowing spam in. Look at the options on the Internet and also those from your ISP.

Get spam blocking software. This can be integrated with your existing anti-virus, be part of your mail server or be a stand alone program that runs in the background on your computer.

Get multiple e-mail addresses. That way you can start to find out if someone is either selling off your e-mail address or is using a spider to locate potential e-mail addresses.

Do not open attachments from people you do not know. Seems a simple statement but when you are tired or have had a few days from your computer you may not always avoid this one. It does not matter what is promised the danger is not worth it, even if it is your favorite film or TV star.

Get an e-mail provider who can process bulk mail baskets. Another way to try and stop the spam is for your e-mail provider to help you by locating e-mails that are sent out to many addresses. They are not passed to you but held on the e-mail server for you to check. Again check the e-mails rejected by this regularly and only read those you know who the senders are.

Share This

Turn on your firewall. It sounds so simple but with Windows XP there is a firewall so turn it on. In Windows Vista there is Windows Defender to stop spyware and Windows Firewall to prevent unauthorized access to your computer. Remember that as these Microsoft Windows tools are so common they are often the first to be targeted by those seeking to gain access to your computer.

Browser settings set for maximum security. This seems like common sense but it adds to your work. You will need to authorize when a site can be accessed and so it will slow down the speed of your surfing at times. Protect yourself and your work by checking these security settings. You can also protect yourself by choosing another Internet browser. There are many free ones to choose from Opera, Mozilla and Mozilla Firefox, are some that come to mind. If you wish to amend Internet sites then you may want to consider Mozilla Seamonkey. Try them out and see what you prefer. It is often down to personal preference.

Install anti virus and set for auto update. Most computers will come with an anti-virus or a complete package such as Norton Internet Security. It is good to try out the package you have there. Make sure that when your trial period runs out that you have selected a new anti-virus or Internet security. Take a look at Norton, McAfee or Kaspersky and surf the web for other options. Always take advice from computer magazines and friends as to the packages they use so that you will not be caught by a site offering anti-virus software that really infects your machine instead.

Do not open unknown e-mail attachments. It may be a beautiful picture on the outside and a whole heap of trouble on the inside. If you do not recognize who this is from then bin it.

Do not run programs from unknown origins. There are literally millions of programs and scripts on the Internet. You could say that most of them are harmless to your computer but that can still mean hundreds of thousands of programs that will cause harm either to you, or your computer or both.

Disconnect your computer from the Internet when not using it. That is easy for me to say sitting on a portable with easy access to the LAN cable and a switch to turn off the wireless LAN. It may be a different matter as you sit with your computer linked to a LAN and the local printers and file servers are attached to that and the link to the Internet is simply another path to it. If you have some sort of system responsibility for the LAN then consider the positioning of firewalls and defenses both inside the LAN and at the junction of the LAN and the Internet. It may be that you have a single computer linked directly to the LAN via a modem but everything has been neatly installed so you cannot physically get access to the LAN cable or the modem to break the link, then spend the time learning to use the icons in the notification area of your computer to programmatically turn off the Internet while you are doing other things.

Turn off your computer if you are not going to use it for a while. Note that this is a trade-off. If you are stopping long enough to make a drink and a toilet break then leave the computer on as the process of starting and stopping the computer are the most dangerous times. Some companies that I have worked for insisted that their employees and consultants leave the personal computers running all the time and only turn off the screen. This is impractical in these days when your computer network links to the Internet and many threats come from that direction. The point I want to make is that if you are leaving your computer for a number of hours consider turning it off. If you leave it for a few minutes check to see if anything has been running while you were away.

Share This