Author Archives: Hina Jahangir

Why Edward Snowden loves open source

Published by:

Infamous government hacker Edward Snowden believes open source is a fundamentally better way to use technology compared to proprietary technology that he believes disempowers users.

Snowden was interviewed in the open source cloud computing project OpenStack Summit in Boston via video from a non-descript location and spoke about his personal use of open source technology. In 2013 Snowden, then a government contractor, leaked classified information about government surveillance programs run by the National Security Agency, which brought him worldwide fame.

Speaking specifically about cloud computing technology, Snowden said clouds from Amazon and Google are fine, but noted that customers using these products are “sinking costs into an infrastructure that is not yours… you’re investing into things you don’t control or shape.” Snowden raised the question: “When you’re running things in Google’s cloud, Amazon’s cloud, how do you know when you’re being spied on?” Whether its happening legally or illegally, Snowden argues these vendors could use customers’ informant’sn “at a layer that’s hidden from you.” There have been no credible reports of cloud vendors spying on customers.

Snowden encouraged attendees of the OpenStack Summit to “direct the future of the internet in a more free and fair way.” One way to do that, he says, is to use open source tools to build computing platforms that customers build and host themselves, which gives users more control over how data is handled.

Amazon Web Services explains on the Data Privacy section of its website that customers control their own data. “Customers maintain ownership of their customer content and select which AWS services process, store and host their customer content. We do not access or use customer content for any purpose other than as legally required and for maintaining the AWS services and providing them to our customers and their end users,” the site states. “We never use customer content or derive information from it for marketing or advertising.” Cloud vendors also offer a variety of ways that customers can encrypt data stored in the public cloud, including offering customers the ability to hold their own keys to the encryption.

Snowden is also worried about data privacy when it comes to smartphones and other technologies. “All systems should be designed to obey the user, they should not deceive or lie to the user. They shouldn’t hide from the user,” he said. Snowden said he’s working on open source code projects that allow users to verify the status of their phones, for example, to ensure that when WiFi or networking features are disabled that they truly are.

Snowden said he used a variety of open source tools to facilitate his 2013 leaking of thousands of classified government documents, including the Debian open source operating system and the Tor Project, which helps protect users anonymity.

SESSION HIJACKING, COOKIE-STEALING WORDPRESS MALWARE SPOTTED

Published by:

Researchers have identified a strain of cookie stealing malware injected into a legitimate JavaScript file, that masquerades as a WordPress core domain.

Cesar Anjos, a security analyst at Sucuri, a firm that specializes in WordPress security, came across the malware during an incident response investigation and described it in a blog post-Tuesday.

Anjos says it appears attackers used typosquatting, or URL hijacking, to craft the phony domain, code.wordprssapi[.]com. Typosquatting is a technique that usually relies on users making typographical errors when inputting URLs into a web browser. In this case, the fake site is designed to look like a legitimate WordPress domain so it doesn’t appear out of place in the code.

The researcher said it appeared attackers injected malware into the bottom of a legitimate WordPress JavaScript file designed to reroute sensitive information, such as cookies, to the fake domain.

Denis Sinegubko, a senior malware researcher at Sucuri, told Threatpost Wednesday that it’s likely an attacker took advantage of another vulnerability in WordPress to inject the obfuscated code in the first place.

“Modern attacks rarely use one specific vulnerability. They usually scan for multiple known vulnerabilities (mostly in third-party themes and plugins) and then exploit whatever they find,” Sinegubko said.

Anjos points out that in addition to appearing at the bottom of an actual WordPress JavaScript file – wp-includes/js/hoverIntent[.]min[.]js – the code also uses a typical obfuscation pattern, eval(function(p,a,c,k,e,d). The function, commonly used in JavaScript libraries and scripts, tightly packs code that’s later executed when the page loads.

After Anjos decoded the obfuscated code, he saw the malicious – and now offline – WordPress API site.

In this case, Anjos says a conditional statement hidden at the top of the code excludes cookies from user agents from search engine crawlers. That “extra mile” by the attacker, Anjos says, helps weeds out cookie information from crawlers and bots and “ensures that the data being sent to attackers is more likely to immediately be usable.”

Once it’s been determined the data – in this case, a users’ cookies – are valuable, a script sends it to the malicious site (code.wordprssapi[.]com) so it can be siphoned up and used by attackers, Anjos says.

By stealing a user’s cookies, through what’s essentially a session hijacking attack, an attacker can pretend to be that user and perform any actions the user has permission to perform. At least until those permissions are revoked; something that’s done after a period of inactivity for many types of online accounts, including WordPress.

The site that URL is mimicking, code.wordpressapi[.]com, isn’t even a legitimate site, the researcher points out. But in this case, that doesn’t matter; the fact that it includes the word “WordPress” is enough to make it look like it belongs, Anjos says; that’s what tricks users.

“By purchasing a domain closely resembling a legitimate website platform or service, some webmasters might overlook this in their code and assume it is an official WordPress domain (which it is not),” Anjos wrote.

Sinegubko is a bit puzzled when it comes to who may have been to the malicious site.

“No clue,” Sinegubko said when asked Wednesday, “As always, WHOIS data is ‘privacy protected,’ the IP (45.32.137.126) points to vultr[.]com network (not a typical choice for hackers especially with the Windows IIS/8.5 server).”

In addition to ensuring they have clean code, webmasters should double check sites to ensure they’re not sending sensitive data, like cookies or passwords, to a third party, Anjos says.

“This is something that all webmasters should be aware of when they are auditing their own code. Be careful and always check that a domain is legitimate, especially if it is involved in collecting or sending information to a third-party site,” the researcher wrote.

YouTube Starts Rolling Out New Website Design, Dark Mode

Published by:

YouTube has started to invite its users to preview a new design of its website, which includes a dark mode suitable for nighttime viewing. The design is also more closely aligned to the look and feel of YouTube’s mobile apps, with YouTube product manager Brian Marquardt promising more consistency across platforms in an announcement blog post.

“Starting today, we’re opening up a preview of the new design to a small group of people from all around the world so we can get feedback,” Marquardt wrote Tuesday. “While we hope you’ll love what we’ve been working on, we’re also really excited to involve the YouTube community so we can make the site even better before sharing it more broadly.”

Users interested in the preview could briefly sign up for it on a special web page Tuesday, but YouTube quickly closed the sign-up after reaching an undisclosed threshold. The Google-owned video site promised to invite additional users in the coming weeks, and plans to eventually make the new look available to all users.

In addition to a night mode, which replaces the white website background with a black theme that’s less jarring when used in low-light situations, the new YouTube also uses a somewhat cleaner design. Two separate menus are being merged into one, and individual menu items are spaced more generously, giving the whole site a lighter look and feel.

But one of the biggest changes may be under the hood: YouTube now uses Polymer, a new scripting technology that’s meant to simplify web development. The result could be that YouTube might be able to change up its site more easily in the future.

What This Startup Can Teach CMOs About SEO

Published by:

If you’re a Chief Marketing Officer at a digital business in 2017, chances are a large part of your time is already taken up by dealing with SEO. And thanks to Google’s ever-changing algorithm, what you learn today may not be true tomorrow, meaning you constantly have to stay up to date on the latest algorithm updates and SEO trends. Luckily there are a few constant lessons that remain true throughout algorithm updates and changing times that you can apply to build a future proof site.

The founders of Los Angeles based Everipedia, Inc. noticed that Wikipedia’s model for search engine dominance is ripe for disruption and innovation. They set out to redesign the online encyclopedia for the modern age. To do that, they are required to command a powerful search engine authority similar to Wikipedia’s dominant presence throughout Google’s results. What started out as a small project in a UCLA dorm room has now turned into one of the world’s largest encyclopedias with millions of users and a company valuation of $22 million.

Below, Everipedia’s founders share their most important optimization lessons for CMOs that will help bring your website to the top of Google’s search results.

Focus On Mobile Design And Usability

In 2016, mobile overtook desktop as the primary device people use to browse the web and Google has been quick to update their algorithm to make it more mobile oriented. Many industries and websites are starting to see their percentage of mobile traffic steadily climbing. But even though responsive design has been around for a while now and is well- established, a majority of websites tend to fall short on their mobile usability.

Theodor Forselius, the Head of Design describes what they have done in regards to mobile optimization: “At Everipedia we have actually focused more on our mobile functionality and usability than we have on desktop. All of our pages on mobile are built with Google’s Accelerated Mobile Page(AMP) framework which gives our pages priority in Google’s SERP over competitors.

The AMP framework also significantly improves our page speeds on slow 3G/4G connections which in turn decreases the bounce rate and signals Google that the page is user friendly.”

The lesson for CMOs: If the desktop version of your site is better than the mobile version, your priorities are misplaced.