“Typos” can Lead Disaster for Your PC

The slip of a finger on the keyboard can result in miss-spelling something. That can be bad. Some malicious websites use the fact that typos are common and we can’t spell against us.

Typing an address directly into the address bar is a great way to ensure that you are headed to the correct site. As opposed to clicking a link that you think goes to the right place when in fact it is a rip off of the correct site. It might look the same, but look closer and you might notice some discreet differences to what you remember. Like a slightly different adress or wording of the site. This is called “phishing“. The new version of Firefox, Firefox 2 will have inbuilt protection from these sites. But there are also applications that will help as well.

The whole thing that lead to this post was that I was sending a colleague some links to sites that will help them become more secure, such as anti-spyware and such. I came around to recommending they install an extension called Site Advisor. I went to the site and I noticed that they have posted a video on YouTube that chronicles what can happen at the slip of a finger.

It all starts when a user types “goggle” instead of “google” directly into the address bar… It all goes downhill from there. But let it be a warning to all. If you type an address into the address bar, be careful! In addition to this install Site Advisor it will tell you if the site you are on is bad. The extension also indicates a web sites status in searches, so that you know before you click if something nasty lurks at the other end. I would also strongly recommend using Firefox. Although there is a version of the extension that works with Internet Explorer, found at the same site.

Another great tool is Link Scanner by Exploit Prevention Labs, it checks sites before you visit without finding out the hard way. Something that I do a bit as well is “hovering” over a link without clicking it. Doing this will show the actual link at the bottom left of the browser. I look and see if it is going where the text on the page says it is, or where I expect it to be going. Call me paranoid but I do it. Plus I have been on the ugly end of a zero day virus and it isn’t fun. Tends to make you a bit paranoid.

I always said I would not use video on my blog unless I thought that it was effective in either demonstrating what I was saying or was in some way exceptional this does and is. Scary stuff, glad it was not my PC. I would say “enjoy” but I felt decidedly ill. But cool to watch and see what happens, if happens to you just hose the system, there is no going back, not to the point where I would trust it anyway.

As described by the YouTube User that posted the Video:

“McAfee SiteAdvisor takes a videotaped spin through some dark alleys of the Web. The result? A computer crash worth rubbernecking.

Disclaimer: Exploit Prevention Labs is a current sponsor of The Global Geek Podcast of which I am a host.


StumbleUpon Secure? It Could Be

StumbleUpon LogoI like StumbleUpon, I think the concept is great and the idea of guided, accidental discovery is a worthwhile journey each time. But I am considering uninstalling it. The reason is: the thing that makes it great I don’t like because of where I might end up. It makes me a nervous wreck!

While this great extension for Firefox and now Internet Explorer is fun and is actually useful. I don’t like the fact that you can end up anywhere and be potentially infected with spy-ware, viruses and other nasties. The only sites and content that are addressed as far as I can tell from both the StumbleUpon Homepage and the Unofficial StumbleUpon FAQ are those of spam and adult content. Although on the Privacy page there is this statement:

“The sites that StumbleUpon recommends are entirely out of our control. As such, StumbleUpon takes no responsibility for them, or their content. These other sites may send their own cookies to users, collect data, or solicit personal information.”

[added emphasis]

There is also this warning in the Terms and Conditions:

“…nor may you use StumbleUpon Toolbar and Website in any manner that could interfere with any other party’s use and enjoyment of StumbleUpon’s recommendation services.”

This is a rather ambiguous statement but might cover the malicious user that might recommend a tainted website, or an ignorant, unaware user that does so unknowingly.

Spam can be reported and I assume is addressed by the admins. Adult content can be filtered out by the users’ personal account settings. In my opinion this does not go far enough. In addition I am sure that the terms of use disclaim any responsibility by the publisher of the software. This is not a criticism rather what I would expect. I am not a lawyer and I am not going to attempt to interpret the user agreement or the terms of use.

What about security in general as well as adult content? I don’t want to be taken to a website that has viruses, worms, spy-ware, ad-ware, cross-scripting vulnerabilities, or any thing else that might cause a disaster on my system. People should know that you no longer need to actually download and run a program that is infected with a virus to get one. Visiting the wrong web-page can cause problems, big ones! That is to say nothing of spy-ware which in my opinion is no different to a virus. I found this out the hard way earlier this year when my home PC was infected with a zero-day virus and I lost everything. The damn thing even wrote itself to the boot sector, very nasty. There is no mention of just how StumbleUpon handles this type of threat, or if in fact users of the extension are at risk at all. I certainly hope that it is not out of ignorance or failing to disclose the threat. As I see it now, it is a very real one.

Perhaps my paranoia is seeded in my virus experience earlier in the year. However a greater reason for it is my use of the McAfee Site Advisor extension. I rely heavily on this extension to let me know if where I am and where I am going is safe and that the files and content on the site is safe. If it is not a green site I don’t go there, period. Sure, I also use a good dose of common sense as well but the safe site extension is excellent peace of mind and so far has not let me down at all. I see it as an essential part of “safe-surfing” for any user. I don’t go to sites that I think have high risk content (regardless of the site advisor status), such as warez sites. It is not a risk I am willing to take and it is a pain in the arse building the PC again!

So I had a thought, why not make it an integrated option in the StumbleUpon Extension? For those users of StumbleUpon that also use Site Advisor; have an option for StumbleUpon to only take you to identified green sites. Theoretically this would be possible and Firefox is a relatively easy platform to modify in this regard due to it’s open source nature. I am sure it is a bigger ask for Internet Explorer. But that said I think it is a good idea. It sure would make me feel a lot better about using the application. Plus if adult content can be filtered then so can sites that are not green in Site Advisor.

Spyware free ToolbarIf that would not be possible I would like to know how StumbleUpon handle the security issue and what measures they have in place to protect users. Should they make a website that is a risk to users available as a “stumble” then potentially they could have a legal issue on their hands as they may be accused of delivering viruses or spy-ware to their user base. Albeit unintentionally, it would still be an interesting test of the terms of use. The screen-shot shown may also be regarded as miss-leading if this were or has happen. In all honesty though I am sure this refers to the extension and toolbar itself not where you are taken by it.

If the idea of the extension being incorporated into the Site Advisor extension it would make me a far more willing user and I would feel better using it knowing that I was safe to do so. As far as uninstalling it I am still undecided.