WordPress Insertion Attacks

Egghead's posted word of a new WP insertion attack here. For those who had been holding out on upgrading to 2.3, even they might still be vulnerable as earlier versions apparently can also be hit this way.

For bloggers on WP, in any case this would be a good time to have this plug-in installed and enabled (along with the patch one Jaimie's working on for benefit of the community).

No Comments »

Facebook Giveth, Taketh Away

Again this week arises the topic of the kind of inter-site dynamic that can make for a big difference between "deleted" and "deleted everywhere."

As reported yesterday in TechCrunch, the accidentally leaked code that apparently powers some of Facebook's front-end has now been pulled after a few days' short life on Blogger.

While some people are saying that it took a while for the DMCA violation notice to make its way through the system, I'm kind of inclined to assume action was taken as soon as those taking it knew of the issue. Word is in recent weeks Facebook hired up on the Legal end, taking on staff formerly of a company with a rep for not messing around once it gets wind of shit going down.

As of just before mid-night Pacific time however, much of the freshly censored content was still viewable in Google's search engine cache. At the time of this writing this is no longer the case, but for another hour or three perhaps, the blip still echoes in Yahoo.

No Comments »

Myspace, Meet SEO 101

To-day one of the profiles I manage there was down for a few hours, for "routine maintenance." Shortly afterward I noticed a couple changes on Myspace worth noting:

Their robots.txt file changed since the last time I mentioned it, moreover this change happened just to-day actually. I know this because to-day I was, pseudo-paranoid that I am, looking up my temporarily-downed profile in archive.org in case for some off-the-wall reason I was about to lose it (I've heard of people losing profiles innocently on occasion). In the morning I was able to get to some older caches of it, yet now at nearing 11pm Pacific time it's no dice: They have now at last issued their first 'bot block, and it's of ia_archiver.

My guess is this is to make it harder for spammers or or other undesirables to scrape content, for generating profiles and/or restoring banned content in fresh ones. The other big reason to do this would be user privacy issues. Pretend for a moment that you're a female Myspace member being harassed by an ex-boyfriend (statistically a cyber-stalker would probably be male). You're pushed to extreme measures and delete your profile(s) altogether. Here raises ye olde SERM quarry: Is it deleted everywhere, truly wiped from the face of the 'Net into a sheltering oblivion? Maybe, maybe not. Depends how it was removed, and whether someone copied it down first even if it was removed thoroughly upon being subsequently cut.

That's the best theory I have for the reasons behind a change of this ilk. Anyway, despite whatever higher purposes this one inhibits me from illustrating something else of interest (though many active Myspace marketers will see this next one plainly upon checking), also a change at least somewhat recent:

They are also making progress with adopting basic tagging standards, by now making profile TITLE tags more descriptive. This is happening now with both regular user and band profiles. Not long ago, if you has one of these its title would just mirror your custom URL, e.g.


Now though, if you have a regular user profile it's something more like

<TITLE>Myspace.com - yourName - yourAge - yourGender - yourCity, yourState - www.myspace.com/yourURL</TITLE>.

The same principle applies if you have a band profile. In that case, your new tag template is

<TITLE>Myspace.com - yourBand - yourCity, yourState - yourGenre1 / yourGenre2 / yourGenre3 - www.myspace.com/yourURL</TITLE>.

Obviously this item is also a simple but very significant edit. It helps to reduce duplicate content issues some, to be sure. If you've ever tried to find someone on Myspace you probably already know it used to be pretty difficult sometimes. Various parameter values can be shared limitlessly and logically. But now, Presto. Pinpointing people - or at least who/what they say they are - on Myspace, and also searching for such profiles within Google and other engines, just got a whole lot easier. On sites as huge as this, there is no such thing as a minor SEO change really.

It looks like Myspace may be taking a few SEO 101 lessons from Google since buddying up with them. Or perhaps, certain SEOs now within the FIM ranks (you know who you are 😉 ) are behind these gradual however serious improvements.

Ironically, the TITLE tag changes actually make it easier for targeted social marketing or other structured, granular queries in some ways. To target specific demographics and point-of-interest indicators, scrapers now don't necessarily need to look to the Myspace domain itself anymore. Now, when one wants to do simple filtrations like weeding out a solid sampling of 30 year-old males in San Francisco for example, one can just use Google operators.

No Comments »

Horsing Around w/Trojans

NYC was great and continued into a good week. Alas it didn't take long for me to bog my evenings productivity once I got back, though:

I'm loving my new ThinkPad but am still getting used to the sensitivity of the keyboard and the little red clitoris eraser head in the middle of it. Between that and working paced ambitiously, foolishly I clicked on something I shouldn't have a few nights ago. I ended up infected with Trojan.Purity, Trojan.Vundo and a host of other annoyances.

I took several passes both in and out of Safe Mode, and with several tool scans. After working through Spybot S&D, Symantec AntiVirus, Spycatcher and a couple lightweight removal tools made specifically for the main afflictions, I was getting worried. AntiVirus was only partially quarantining items, and only finding them in normal system mode. Spycatcher was only finding a few but not able to delete all. Spybot was seeing almost none of the problems to even take a stab at fixing them. To my particular surprise Symantec's Vundo Remover was failing to find all of the problems, and their list of suggested registry deletions was a mile long for that problem in particular. I'd already cleaned Purity out that way by the time I knew I was also deeply hit by Vundo, but wasn't keen to get deep into that for that latter of the known problems. This was getting pretty frustrating. I've been a Symantec user since the very early years of Norton Disk Doctor and I've had colleagues and personal friends in and out of there and Veritas over the years. Even after they stopped supporting certain products on certain platforms, I've held some loyalty. Also, the small freeware removers some developers had posted were getting stuck in loops, concentrating on a couple .exe and .dll files that were either holding steadfast or continually coming back from the dead. Moreover, Microsoft's common malware removal tool looked so general that it wasn't even worth bothering with upon close inspection. This was starting to take hours.

At the end of it though, I made a pretty cool new discovery: Thanks to Prevx for kicking ass and finally taking all the pain away. You're my heroes this week after finding and successfully removing what eventually had become not 2, not 4, not 10, but a whopping 19 malignancies. I plan to sign up after my trial expires, and look forward to a week-end of cleanliness returned to my cherished new toy (Be warned however, that now of course that if/when a day comes that I come down with something you can't fix, I'll be kicking and screaming to you about it.).

No Comments »

Privacy, SERM and SEO

There's an interesting thread just started over on Quad's blog on this.

As an SEO with a bit of security and also content management industries experience who (partially as a result) works and lives under a few different identities online, I've got many a thought on this... and it would be inappropriate for me to put them into any comment when the comment would be longer than the post it inspired. That said:

On a public Web, by definition users are all public figures - both selling and buying something at all times - and the average one probably doesn't much know it, or at the very least not to what extent it actually happens.

Good SEOs can sport mad skillz to exploit and/or patch some things, sure. However, if/as SEOs haven't specifically deemed otherwise ahead of time, it's not like all that makes it into caches isn't still indexed or at least saved in some other form somewhere. Search engine reputation management (SERM) services can certainly help evaluate escaped genies, but engines still function like some countries' legal systems in that one's public record is one thing, and one's private record is another (still visible to judges).

One needn't ever publish anything though, to leave traces from which behavioral profiles can be gradually built. One need but swallow a cookie or three and let it sit in the browser's gut a while.

Behind my back I can see them stare

Returning to the analogy, if we were to equate the judges with engines and others who are in the business of not just providing information massively but also gathering it to sell intelligent, personalized, narrow-cast advertising services... we can remember there's a level of discussion beyond the fact that many users nowadays subscribe to the "if you don't have a blog/Myspace/etc., you don't exist" lifestyle. This is not just a privacy issue. It's also that whatever traces, Easter eggs, direction and/or misdirection one publishes about oneself directly informs how one gets marketed to through such services (now and to-morrow).

So yeah, we can note that everyone from businesses to the "reality" programming oriented generations are increasingly sacrificing privacy in favor of convenience and "I blog therefore I am" oriented approaches to finding social validation, but traces left are perhaps somewhat tempered i.e. per some (who knows what) relative ratio to the pacing of the greater information and noise expansion. Moreover, empowered with new easy socializing and publishing capabilities, users now own products and service brands more and more so that tempers the situation a bit too...

Such counter-balances however might be pretty dwarfed by a seemingly looming shadow regardless: The steadily growing potential for the general assimilation of e-commerce and social networking into search, leaving only 3 general entities online for perhaps many years to come: publishers, marketers/advertisers, and search engines (each of which still also both a brand and a consumer in its own way, level and right).

No Comments »

New SecureZIP v11: Free!

OK, so to-day I was setting up some automated competitive monitoring for a client, to facilitate report deliveries. In the process I realized that a certain recipient network seems to be blocking .zip extensions from incoming email under certain conditions, for antivirus purposes.

This was an understandably common reaction IT departments had to when worms and other virus types started appearing masked as .zip files, like 2.5 years ago or so. However, from a technologist perspective that was kind of like treating the immediate urgent symptom as opposed to the real enterprise-level problem.

Anyway, so I went to take it up with the managers of that network and then in the process of suggesting SecureZIP I found that they happen to have a new version out now, and for a limited time are giving away licensed, fully-enabled versions thereof to promote it!

Now of course, I don't work in any way for, nor do I have any other active professional affiliation with PKWARE anymore, but SecureZIP v8 has remained my file compression/decompression and encryption/decryption utility since I was there. I never tired versions 9 or 10, but dude! Free software, legally! :mrgreen:

Let's all give it a try, shall we? Fellow security geeks who are into pun-laden passwords, digital certificates, biometrics and such, have fun with this. Folks who are into squeezing as much optimized bandwidth out of their pipes, and also space on their drives, servers and mainframes: you should be interested in this too.


P.S. - Again, this post is not linkbait. It's not like I won't have to publish a diplomatically-put update to it, should anything in v11 seem concerning to me when I try it later to-night or to-morrow.

No Comments »

Myspace: Protecting our Kids from...

...perverts? pedophiles?!? Aye, of course but let's not forget (and perhaps most of all):


Samy (the lad whom I mentioned a couple weeks ago) is now feeling the not-so-swift nonetheless serious hand of Myspace justice as reported in SC Magazine yesterday. Man. Don't mess with the Fox / NewsCorp people; some of them take being shaken up a bit quite seriously (even when the shaker isn't shaking to make money or disrupt them really).

I found this on Myspace, ironically.

...OK, technically yes, Samy was no baby, and he did commit a crime that he's got to pay for. He was legally an adult when he let his worm loose on them, but by a mere year or two. That no doubt made all the difference in determining his punishment (despite undisclosed details about the $ part).

It doesn't necessarily mean that Myspace taking it as far as an actual trial for his childish behavior would've been the most mature response, though. I wonder if taking him to court with the aim of settling so as to put him to (unpaid) work for them for a period of time would've been a better strategy, i.e. retaining more street cred while putting some obviously skilled help on tightening up their sites. With hackers and spammers, it often takes one to fight one... and sometimes it's better to take the high ground and look for a potential advantage in a situation, than it is to go making an example of someone to try sending a message like they did here.

They have been getting it together lately though. Word is they've been working in more email verification requirements, IP blocking, and a stronger CAPCHA in the past week.

Anywho, I've been putting off getting one of the T-shirts for a while. It's about that time now though... just in case the better design sells out and/or their prices get raised. Besides, they probably qualify as retro chic now. Two years counts as retro in Internet time, right? I should think so.

I wonder how long Samy's direct record (complete with the code overview, screenshots, links and a guestbook) will be allowed to stay live. Those who haven't seen it are encouraged to check out the retrospective now in case it gets yanked soon per the recent court ruling.

No Comments »

Speak of the Devil...

and hear wings rustle.

It's been another interesting discovery day in the world of Myspace, whom I happened to elude to yesterday albeit on a different point.

I maintain that if I were them I'd be flapping hard, despite how the only way entrepeneurs are directly monetizing them is (to my knowledge) in pushing profile tweaks and lookie-loo webcam sites via fake profiles (areas which unto themselves have some serious coin in them): RSnake's Fierce has revealed now their "Content Take-Down Tool"...

Content Take-Down

also their Site Admin...

Site Admin

and the location of their Webmail...


and... sheesh. Hopefully they're hiring Engineers as aggressively as they say they're hiring Sales reps. 😛

I really don't know much about Web security or IT but meself, I'd have thrown some spider traps on all this. Also, their public site's robots.txt is surprisingly simple and inviting for the business they're in. There are ton of sites who are spit in the ocean compared to Myspace that are more secure. It wouldn't be hard for them to just let in the major SE bots and feed aggregators and as for the rest of them, well screw 'em, in order to keep out unidentified crawling objects. Up there with Yahoo and Ebay, they're the one of the most visited sites on the Web already, and their brand is one of the most searched-on queries any given week or month. So sure, it would hamper their traffic some but IMHO it would be a small price to pay to sleep easier at night.

Maybe I'm just paranoid... Whenever I register a domain and put the DNS on anything other than the registrar's park page, it doesn't take but days or weeks before some hoser, proxified via the PRC, Turkey, Singapore, The United Arab Emirates or some other place, sends something wriggling through me trying to find vulnerabilities in things that don't even exist yet, i.e. before I've installed any software or databases on the host whatsoever. This moreover sometimes happens before I've published any content or set up any inbound links on the greater Web. That's how aggressive and thoroughly automated some people are.

Anyway, I'm not the only one with misc. feelers out there aiming to keep a finger on the pulse of things from ongoing research, polite observation, and info-power perspectives. So if people like me are becoming aware of this stuff without specifically trying, think what professional hackers are up to right about now with it. My guess: Shifting attention from developing various XSS methods that work on Myspace's public-facing stuff (a handful of which seem to appear monthly) over to targeting their back-end. At this rate it's probably just a matter of time until someone comes up with something that does a lot more damage than what Samy did.

With Web 1.0 hyper-growth was a lot about content management, handling loads on infrastructure etc. ... With 2.0 though, given the new democratic openness and the methods facilitating that, the watchword now is security for sure.

No Comments »


Based out of Northern California, bl.asphemo.us is a bl.og dedicated to the advocacy and study of high-impact, data driven marketing disciplines and related concerns: Analytics and Data Mining, Marketing Automation, Integrated Advertising (targeting, retargeting), Demand Generation and Lead Nurturing, Social Media / Social Engineering (Crowd-hacking) and the new PR, Privacy, Security, CRM, SEO / SEM, CRO, ROI... more TLAs (three letter acronyms) than any sane person's daily lexicon should include.

About the Preacher