Archive for the ‘Websites’ Category

Here’s Everywhere You Should Enable Two-Factor Authentication Right Now

August 29, 2012

Two-factor authentication is one of the best things you can do to make sure your accounts don’t get hacked. We’ve talked about it a bit before, but here’s a list of all the popular services that offer it, and where you should go to turn it on right now.
What Is Two-Factor Authentication?
Passwords, unfortunately, aren’t as secure as they used to be, and if someone gets your password, they can access your account with no problem. Two-factor authentication solves that problem.

Google’s spam guru, Matt Cutts, put it best: two-factor authentication is a simple feature that asks for more than just your password. It requries both “something you know” (like a password) and “something you have” (like your phone). After you enter your password, you’ll get a second code sent to your phone, and only after you enter it will you get into your account. Think of it as entering a PIN number, then getting a retina scan, like you see in every spy movie ever made. It’s a lot more secure than a password that anyone can hack, and keeps unwanted snoopers out of your online accounts.

Where Can I Use It?
Unfortunately, you can’t use two-factor authentication everywhere on the web just yet. But a lot of sites have recently implemented it, including many of our favorite services. Here are some services that support two-factor authentication, with instructions on how to enable it:

Google/Gmail: Most of us store a lot of information in our Google accounts, and you’ll definitely want to protect it by turning on two-factor authentication. You can learn how to do it here, or check out Google’s official documentation for more info.
LastPass: If you use LastPass to create, manage, and store your passwords for other sites (which we recommend you do), this is one of the most important services you should enable two-factor authentication for, since it stores your passwords for every other site on the net. It uses the Google Authenticator app for Android, iOS, and BlackBerry, and you can read up on how to enable it here. Alternatively, you can use one of these password management apps that sync them between computers with Dropbox (which also supports two-factor authentication, as described below).

Facebook: Getting your Facebook account hijacked could be more than a little annoying, and their two-factor authentication is super easy to use. You can find instructions on how to do it here.

Dropbox: Dropbox is useful for all sorts of things, not the least of which is storing your data and sending sensitive info across the internet. Do yourself a favor and enable two-factor authentication using these instructions. If you want another layer of extra security, you can do so by encrypting the contents of your Dropbox with TrueCrypt.

Some Microsoft Products: Microsoft hasn’t enabled two-factor authentication for Outlook yet, but some of its services—including Xbox Live, its Billing pages, and SkyDrive when you remote to another computer—require it by default. You can read more about it here. And, if you want better security for Outlook, know that Microsoft is currently working on a secure, easy way to strengthen your login.
Yahoo! Mail: If you’re a Yahoo user, you can enable their two-factor authentication for your mailbox.

Amazon Web Services: If you use any of Amazon’s web services, like Amazon S3 or Glacier storage, you can get the extra security of two-factor authentication via the Google Authenticator app for Android, iOS, and BlackBerry. It also supports Windows phone via the Authenticator app.

WordPress: If you don’t want anyone getting unauthorized access to your blog, WordPress also supports the Google Authenticator app for Android, iOS, and BlackBerry.

If you use any of these services, you should head over and enable two-factor authentication right now—it’s one of the best ways to keep your data (and, in many cases, your money) safe. Of course, you should also make sure you use a unique, secure password for each of your accounts, so if you don’t do that, now’s a good time to change that.

Beware of fake Facebook account cancellation emails

May 23, 2012
Fake account cancellation emails are targeting Facebook users and trying to get them infected with information-stealing malware, warns Sophos.
The email looks pretty legitimate at first glance:


While both embedded links point to a Facebook page, it is that of a third-party application running on the Facebook platform.

Users who follow them land there, but are immediately asked to allow a Java applet whose digital signature could not be verified. And even if they answer “No”, the window with the request continues to pop up and pester them.

If they finally agree and run the applet, another window pops up requiring them to download a supposed Adobe Flash update, which is actually the SpyEye Trojan in disguise.

“The social engineering being used by the tricksters behind this malware attack is pretty cunning,” Sophos points out. “They know that people value their Facebook accounts highly, and many would be upset to lose access to them and the digital connections they have built up with friends and family.”

Upgrade from 7GB to 25GB of Free Microsoft SkyDrive Storage While You Can!

April 26, 2012

Microsoft revamped its free online storage service SkyDrive this week (big week for online storage, right?) with new desktop apps and better syncing—but, sadly, a reduced storage limit for new users: from the 25GB previously offered to 7GB. Existing Windows Live account users can claim the 25GB of free space for a limited time. Here’s how.
First, if you’re an existing SkyDrive user already using more than 4GB as of April 1, according to this MSDN blog post, you’re already upgraded and grandfathered into the 25GB storage plan. You’re good.

But if you’re an existing SkyDrive account holder who doesn’t have that much uploaded already, you should log into your account at skydrive.live.com, then click the “Manage storage” link on the left navigation pane. In the next screen, click the “Free upgrade!” button to increase your storage limit from 7GB to 25GB. It’s a quick and painless process.

You may be able to get 25GB of SkyDrive storage even if you’re not a current SkyDrive user. According to a Slickdeals post, if you have a Windows Live account (e.g., @live.com or @msn.com) or Hotmail the upgrade may work for you. Click on SkyDrive from within Hotmail or sign in with your WIndows Live account at the SkyDrive link below for the upgrade.

The new SkyDrive now has a 2GB per file limit rather than 300MB, new paid storage plans, and Dropbox-like single-folder syncing (read more about the changes at MSDN). As before, SkyDrive offers in-browser Microsoft Office document editing and creating capabilities, and if you grab the upgrade before this limited time offer ends (no word on when it expires), a pretty attractive amount of free storage space.

Google launches online storage application

April 24, 2012

Today, Google revealed their newest upcoming product: Google Drive.

Google Drive is an online file storage application similar to Dropbox, but with a twist.

In addition to standard file storage Google Drive offers several additional features including file revision history, built in compatibility with Google Docs, and a powerful search tool to navigate your files.

Google Drive is free to use and comes with 5GB of storage. Additional storage is available for a yearly fee.

Check it out at http://drive.google.com

While Google Drive is not yet available for all Google account holders, it is currently in the process of being rolled out. You can be notified when your Google Drive is available by clicking on the “Notify me” button in the top left corner of the Google Drive page while signed in to your Google Account. […]

Polymorphic Facebook scam targets users

April 10, 2012
An insidious scam that can result in multiple malware downloads is currently targeting Facebook users, warns Bitdefender.
It starts rather predictably, as users inadvertently share links to a supposedly leaked pornographic video. If their friends follow the link, they are faced with a request to download a Divx plugin in order to watch the video:


“The page recommending users to install the missing plugin features several other elements to encourage users to keep clicking,” points out Bitdefender.

“The video’s name hints that the sex tape belongs to a celebrity; the warning that the user’s antivirus must be disabled works on reverse psychology: though prospective viewers know this action is risky, they do it precisely because they have been warned about it; and the reference to age verification further hints at the salaciousness of the video.”

When run, the downloaded “Extension YouTube” immediately changes all newly opened tabs to a page advertising an adult chat service, then leads the user to to another page that supposedly hosts the video the users wanted to check out in the first place.

But, now the users are asked to download another piece of software – the “7pic Video Premium Player”.

Unfortunately for them, it’s another bogus extension that allows the scammers to access hijack the users’ account by accessing the needed cookie information and propagate the scam further.

“This is an interesting and quite complex type of scam,” says Andrei Serbanoiu, Bitdefender Online Threats Analyst Programmer.

“In data security lingo, this would qualify as a polymorphic attack, which basically means that the malicious content served can be changed by the attacker thanks to the browser extension installed. If one user lands on the adult chat page, another may reach the malware downloader or even a whole different web page set up for phishing.

Critical Security Update for Adobe Flash Player

March 28, 2012

Adobe has issued a security update for its Flash Player software that fixes at least two critical vulnerabilities in the widely-used program. At long last, this latest version also includes an auto-updating mechanism designed to streamline the deployment of Flash security fixes across multiple browsers.

If it seems like you just updated Flash to fix security holes, it’s not your imagination. This is the third security update for Flash in the last six weeks. Flash Player v. 11.2 addresses a couple of flaws  in Adobe Flash Player 11.1.102.63 and earlier versions for WindowsMacintoshLinux and Solaris, and Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and 2.x. Adobe warns that these vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

My previous posts on Flash updates have been accompanied by lengthy instructions about how to update the program. That’s in part because Adobe has traditionally deployed two separate installers for Windows based systems: One for Flash on Internet Explorer, and another for non-IE browsers. With the release of Flash Player 11.2, Adobe is introducing a new background update mechanism for Windows users that promises to take some of the pain out of updating.

Here’s how Adobe describes the updates to its updater:

The new Adobe Flash Player background updater updates all instances of a release version of Adobe Flash Player for all Web browsers on a computer. Previously, users had to perform separate updates for each Web browser running on their system.

With the introduction of the new background updater, Windows users have the option to download and install updates for Adobe Flash Player automatically (when available), without user interaction. After a successful installation of Adobe Flash Player 11.2, users are presented with a dialog box to choose an update method. The following three update options are available to users:

§  Install updates automatically when available (recommended)

§  Notify me when updates are available

§  Never check for updates (not recommended)

Additionally, the user can change his update preferences at any time via the Flash Player Settings Manager, which for Windows users can be accessed via the Control Panel > Flash Player. In the Flash Player Settings Manager, the update preferences can be found and selected in the “Advanced” tab under “Updates.”

Want to learn which version of Flash you have on your system? Visit this link. Updates are available via theAdobe Flash Player Download Center. Google’s Chrome browser usually auto-installs Flash updates, often before Adobe even publicizes them. But this is the second time Chrome has fallen behind on that front: My installation of Chrome still shows version 11,1,102,63.

Sadly, Adobe’s fancy new updater doesn’t go beyond Flash itself. If you have Adobe Air installed (that means you, Tweetdeck users), Air will need to be updated as well to accommodate these Flash fixes. For more on how to do that, see these instructions.

“Facebook Applications Accidentally Leaking Access to Third Parties”

May 15, 2011

Symantec blog posting:

http://www.symantec.com/connect/blogs/facebook-applications-accidentally-leaking-access-third-parties

What Happens? QUOTE: According to Symantec’s analysis, the problem was caused by a flaw in the old Facebook API which apps used to authenticate their account access. When a user grants account access to a web app, the app is given an “access token” which it can then renew. Symantec said that this access token can be mistakenly inserted into a URL returned by Facebook to the app server when the user logs in to an app. If the app loads an ad banner or analytics code as a next step, it will send that URL, including the access token, in the referrer field of its HTTP request for the content. This referrer data is likely to have been stored in the log file on the advertising or analytics providers’ server. User impersonation tokens Changing user password will invalidate old tokens. New tokens are safe.

Bottom line here people, CHANGE YOUR FB PASSWORD!

Facebook is making GOOD security improvements. 9.6 (and growing) users now using Facebook over HTTPS: Facebook now supports the much better Oauth 2.0 system. Facebook Apps need to support Oauth 2.0 by September https://developers.facebook.com/blog/post/497