Author: Mike Talon

February 28, 2012

By Mike Talon
in Dos and Don’ts, Security
No Comments

When using social media services, the biggest mistake folks make is to believe – even for a minute – that anything they say is private. That leads to embarrassment, possible employment termination, and lots of other consequences.

For example, many users believe that their Twitter direct messages are not shared with anyone but the recipient. That’s not necessarily the case.

When you DM someone on Twitter, the message can be seen by everyone who subscribes to their timeline if:

– There is an image attached to the DM – image services are not private, and will carry the text of the message as a caption to the image on the photo-sharing site.

– There’s a link or you use a tweet shortening service (like TwitLonger). This one burns people even more than the image services, as you may have a shortening service enabled for all tweets in a 3rd-Party Twitter product on your desktop or phone. Bit.ly links and other URL shorteners are also public, so links in tweets can become public very easily.

– They retweet it. Twitter will try to stop them from doing that, but there lots of ways around that.

– You accidentally replied instead of sending a DM. It’s easy to do, and you’d be surprised how many times it happens.

On Facebook, all the default security settings make nearly everything in your profile and posts public information. Even if you think your data is shielded, a change to profile information policies can flip things to public without warning – it’s already happened several times.

The same goes for Pinterest and other sharing sites. Even though you can try to keep everything private, the sites are designed from the ground up to share, and with one wrong click the world can see whatever you posted.

Just before this went to post, Eileen Brown posted an article that proves the point. Twitter is allowing 3rd-Party companies to mine historical data from their archive, which means that your tweets could be used by another company. While they don’t seem to want to expose DM’s, one poorly-coded script could make that happen.

So, use social media wisely. Remember that it’s supposed to be SOCIAL, and that sites and networks are designed to facilitate public communication. Even if you think something is private, there’s a good chance it’s not – or it may become public later.

Photo Credit: floeschie

February 23, 2012

By Mike Talon
in Security
No Comments

Well, that happened faster than I thought.

Yesterday, I spent quite a few hours rebuilding my blogs, as nearly all of them managed to get hacked. It was a porn-site redirection attack, inserting javascript into each and every PHP page in the WordPress system.

It started with one blog, but by midday, it had spread to three of my four sites. The site that got hit first was the newest one, so it was surprising that a site with very little traffic was indeed a target to someone out there.

While this issue is never fun to deal with, I expected it would happen at some point, and took the appropriate precautions. They saved my bacon.

Luckily, I have a few friends in the security world, who had armed me properly for how to identify and overcome an attack like this. They also had me prepare to block such attacks, but in this case the hacker found a way around the defenses. That’s not unusual, as new attacks are created every day, and tools like WordPress firewalls and exploit scanners only update so fast.

So, how do you prepare for a potential attack?

1 – Prep your site. Install plug-ins to ward off the more common attacks before they hit. The WordPress Firewall and Exploit Scanner can help quite a lot with this. Both tools were able to deflect quite a few attempts to access my sites before whoever got there yesterday found a back door.

2 – Know what’s on your site – always. There’s a great plugin called WordPress File Monitor that scans your files regularly to see if anything has changed, and alerts you by email when it finds anything that has changed. Sometimes, it gets annoying, but this time it let me know that all my WordPress files had changed at once. This was something that allowed me to address and fix the problem so much faster than I would have been able to do otherwise.

3 – Back everything up. There are plugins that can back up entire WordPress sites – with their content databases – to Amazon S3, DropBox, or your hard drive. Use them! If you do get attacked, you will have to restore from a backup, and so you better have one handy. I had been backing up, but a configuration error meant that many posts ware lost. I have copies, but that will take some time to restore manually.

Luckily for me, I saw the attack happen, confirmed it, and started cleaning up everything all within hours of the actual attack. That kept my readers safe and my headaches limited to the fact that I mis-configured my backup and lost some posts.

And if you do get hacked?

@Snipeyhead – a noted WordPress Security expert – has posted a great guide on what to do next. You can find it via this link. [Note, she does not pull punches, verbally or visually, so her site is very mildly NSFW] The article is a bit old, but the strategy is sound, well researched, and spot-on still today. Follow the process she shows in that post, and recover what got hit before your visitors get infected by drive-by downloads or you lose face due to defacing of your sites.

Remember, change ALL passwords, including the FTP/sFTP logins and your web host login. That’s in addition to the site logins, database logins/users, and any other security info you have on your site. If you can’t identify how you got hacked, then play it safe and change everything.

Now that everything is back online, I can say I weathered the storm. It can be MUCH worse, and it’s never fun, but you can indeed overcome attacks against your site quickly and effectively if you prepare ahead of time.

Photo Credit: neoliminal

February 22, 2012

By Mike Talon
in Security
No Comments

I’ve written in the past about CAPTCHA, the technology that shows you a picture of a group of letters or words that you must type in before you can log in to some sites, or sign up for free services like Gmail. As annoying as CAPTCH is, the automated Turing Test has stood for several years as a standard way of ensuring that a real person is trying to access a service, instead of just some kind of automated system.

The problem is that spammers and scammers have found more an more ways to get around the CAPTCHA tests to ensure they have access to these systems just as easily as legitimate users do.

Initially, the bad guys just used sophisticated character recognition engines to look at the images digitally, and figure out what the letters or words were. This worked for a time, but then site owners started skewing the letters or adding in “noise” – dummy lines, dots and other static that made it more difficult for a scanning tool to figure out what was part of the CAPTCHA code and what was not.

So, spammers have taken a new route to getting around CAPTCHA. Since the codes are designed to only be human-readable, they’ve been employing humans to read them. Yup, that’s right, you can now hire someone to break CAPTCHA by solving thousands of codes a week for you to use to send spam. See this article for more information on such services.

Social Networking is no stranger to this problem, as thousands of fake blog comments, even entire blogs and RSS feeds full of fake information, are common. Spammers set up thousands of fake Twitter accounts to blast out spam, malware and fake gift certificates, only to create yet more new accounts as soon as the existing ones are flagged and banned. The same thing happens on Facebook, Windows Live and just about every other social network out there, as the spammers simply change their tactics and continue doing what they do, no matter how good the technology to stop them seems to be getting.

How do we stop this? Simple, make it economically inefficient to spam. Most of my readers already refuse to click links in email, or accept links/codes/certificates from anyone they don’t know on Twitter, G+, etc. Now we have to spread the message. Make sure everyone you work and play with knows that they shouldn’t accept offers, click links, or approve blog comments that come from anyone they don’t know. Those coming from people they know should even be suspect.

Set your blogs to require approval for all comments, and weed out the spam. Approve comments but remove URL’s if you’re not sure. If you see tons of spam comments in a blog, alert the author that they need to turn on approvals or they’ll lose a reader.

If you have the ability to flag posts as spam, do it. Same for Tweets, Posts and other social media sharing. Don’t be abusive or obnoxious about it, just flag them and move on.

Eventually, the cost of successfully spamming the world will become greater than the revenue generated by the spamming. Money talks, folks, and if it’s too expensive to make money by spam, people will stop spamming, but not until then.

In the meantime, ignoring links and flagging spam posts and comments will keep you safe from a lot of the malware running around out there.

Photo Credit: yandle

February 22, 2012

By Mike Talon
in General Info
No Comments

When you go online, visual experiences are some of the most powerful. Video speaks louder than audio alone. Blog postings with pictures tend to have a better impact on readers than text alone.

This holds true to your profiles as well. As you can see on my own home page, I have an icon image that I use for my online profiles. Mine was done for me by a web-comic artist (Woody Hearn of GUcomics.com) and wasn’t free, so not everyone will be able to have this kind of profile picture set up for them. That’s not to say you can’t have anything!

Even if you’re not paying for someone to make a profile picture for you, that’s no excuse for having the default “person” or “egg” icons that services like Twitter and Facebook provide. You need to change the default profile image to something that represents you, as soon as you can.

Now, this doesn’t mean you have to draw it yourself, or even use a real photo if you’re uncomfortable doing so. You just need to get something in there that is not the default icon that brands you as a new user.

For example, the image at the top of this post was created by John Kovalic (who writes Dork Tower, another online comic). He did it to show just how easy it is to create simple, but powerful user icons without a lot of technical expertise.

Here’s a few more of his icons – that he’s made available to anyone who wants to use them, free of charge:

With just a few clicks in some simple graphics programs (that you most likely already have free of charge on your PC or Mac) you can create a cute, funny icon that is clearly not the “default user” graphic.

So why don’t you want the default icon?

1 – it brands you as a “newbie” – a person who just started and has no clue what they’re doing. Even if that’s true, you probably don’t want the world to know that if you can avoid it =)

2 – It’s unprofessional. If you’re using Social Media for your job, the last thing you want is others discounting your opinion because you didn’t change the default user icon.

3 – Spammers use the defaults. Spammers create dozens of spam accounts at once, therefore they tend to not even bother to change the icon (after all, the accounts are going to get blocked pretty quickly). If you keep the default icons, many folks will instantly suspect you of being a spammer.

So get an image! Build it, buy it, or borrow it (make sure you have permission to do so, though).

Photo Credit: John Kovalic

February 22, 2012

By Mike Talon
in Dos and Don’ts
No Comments

I’m noticing more and more of this lately, and figure it’ll make a good topic for my first “Do’s and Don’ts” column.

Many folks – even those who have been working with Social Media for a good amount of time – will DM every new follower on Twitter with a message. Usually it’s a “thank you” with a request to follow them on other networks.

I’m very much against this for a few reasons:

1 – Twitter is about public conversation and social sharing. Yes, there are some times you need to DM a person. Usually it’s to give out an email address or phone number or some other information you don’t want the world seeing. Links to your Facebook profile and fan page are *not* private information.

2 – It’s annoying. Most of us get DM’s on our mobile phones or via email in addition to our Twitter clients. That means that I’ve got alerts going off to tell me that you’re looking for me to follow you on Facebook.

3 – It’s useless. The vast majority of people I know will specifically NOT follow you anywhere else, and many will immediately un-follow you on Twitter, for doing this. In other words, you’ve done the exact opposite of what you were trying to do with the DM.

Now, this isn’t to say you shouldn’t say hi to your followers. You absolutely should! But do it with an @Reply instead of a DM. This allows more than just your new followers to find you on other networks, and opens a public conversation, instead of a private message.

You’ll note that if you try to send the same message (e.g. “Thanks, follow me here and here and here, too!”) to dozens of people, Twitter will stop you. They’ll attempt to keep you from posting the identical message to multiple people, and lock you out as a spammer if you keep trying.

So, if it’s not acceptable to send a message to each person in an @Reply, why would you do it in DM’s, where you’re being annoying in addition to getting flagged as a spammer?

Talk to your followers, share that someone followed you with your network, share your other networks with your Twitter followers. Just reserve DM’s for their intended purpose – sending one person information that you don’t want the entire world to hear.

Photo Credit: brainware3000