Security

Why Is My Website Getting Hacked?!

Hacker

Last month when multiple security weaknesses were discovered on Open SSL – the software used by thousands of companies to encrypt online communications – the world got reminded of how interdependent we are on everyone maintaining his or her website security – especially those who maintain the web components we all share.  The fact is, we have come to expect security of the Internet and our web sites as almost a given.  But the reality is that much of the Internet, as security expert Krebs points out, “…runs on technology maintained by a handful of coders working on a shoestring budget.”   It’s amazing what has been done to protect and secure our web sites and the Internet they run on.  That said, the question remains for many website owners, why could my website get hacked?  I’m not a big corporate presence on the web. Who would want to bother me?

Automation

One of the reasons why its so critical that small to mid-size  businesses and organization websites like yours take your security more seriously is because you are the new targets….of automated attacks.   Hacking as a web service has grown and is being made available to a large number of those interested in the hacking arts regardless of skill.  And these tools can make even those with little skill successful.

Random Attention

It could be a plugin or exposed information about your website’s platform, Crawlers take about a month or so to actually find something about your site that looks interesting. Then they are looking for some identifying markers like whether your’re running a CMS platform or bugs in the code or some component vulnerability.  Once you have been crawled, you’re on the list for attack.

Targeted Attacks

In recent days, we’ve had an example of a targeted attack.   Sometimes these include a form of Hacktivism which can include defacement.  The FBI and US-CERT both issued warnings on a probable defacement hack campaign suspected of being generated by ISIS against WordPress sites.  Several types of sites of small to mid-size business and organizational sites were included in that notification.  At the same time an XSS vulnerability was found in a common WordPress component and again, a warning was issued. These and other exploits happen now on a somewhat regular basis for most CMS platforms.

What Are They Getting Out Of It?

What are hackers getting out of attacking your site?  More than you might think. Of course, there is the financial aspect.  You probably already know about malware that can be loaded onto your computer from an infected site, which then looks for and gathers enough information to be able to drain your bank account or access medical records and other sensitive information.  Then there is affiliate revenue that can be generated by site redirects through what is known as Black Hat SEO Spam campaigns (injection attacks).

There are gains to be had from farming your actual resources: your computing power.  Hacking groups can use your system resources for themselves or lease them.  Then the combined resources are used for brute force attacks (DoS or DDoS) .

As mentioned above, there are also hacktivists: people or groups trying to make a statement  by defacing or taking down a site.  Recent examples have been the ISIS defacement attack as well as taking down the Indiana gov site in defiance of the RFRA.

Last but not least is the boon of just being able to do it because they were bored.  These are not always limited to but usually are the “script kiddies”, unskilled when compared to sophisticated big time hackers but still dangerous exploiters of security lapses in a website.

So now that you know why, give SOS a call to help you to protect your web site with a monthly security package! 

No comments
MelanieWhy Is My Website Getting Hacked?!
read more

Freak Attack: What You Need To Know

TLS640Remember the Heartbleed vulnerability in SSL/TLS (Security protocols for the Internet)?  There is a newly discovered vulnerability called the Freak Attack that was making the rounds in the cryptography talk circles on the night of March 3, 2015. RSA Export sites are highly vulnerable to this bug and that’s quite a number of sites (into the millions) including many government sites, not the least of which was the NSA site, the IRS, the whitehouse.gov and the FBI tip reporting site. Even the site that supports the Facebook “like” button (connect.facebook.net) was vulnerable. If you run a server,  you were being told to disable support for any export suites.

You can read more about what happened here: http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/

Patches are getting rolled out so this should be closed up soon. But what’s interesting (and also appropriate) according to Matt Green, cryptographer and Research Professor at Johns Hopkins University is that this latest vulnerability was really a result of some decisions made in the 80’s to weaken cryptography so that the NSA could “access” information it deemed it needed but that would give a grade of passable security to be used commercially.  You can read about how China now wants to do the same .  In that regard, it seemed fitting to a number of us that the NSA site was the first affected.

What’s being done

4 things. 1) Apple and Google have released patches so the TLS vulnerability will be addressed. 2) US CERT has issued a vulnerability release with actionables. 3) This headline: Outdated Encryption Keys Leave Phones Vulnerable to Hackers  Note: this is the second article in the last few days that I have observed pointedly spelling out “National Security Agency” in every instance its mentioned which obviousness points to the current negative connotations of the acronym “NSA”. It also leads one to ask: who made the request to the news agencies to spell it out, (if it was made), and 4) It looks like its showdown time between the big techs and the Gov on this issue. Because if they (the security folks) lose, there is no way any of us providing security can honestly assure you of a high uptime or protection

How to protect your Windows system, well sort of…

You can test your browser support and if you haven’t already tested your Windows system for FreakAttack, (Specifically your IE browser) Here’s the link where you can do that: https://freakattack.com/clienttest.html  My advice?  It would also be a good time to say goodbye to IE and switch to Chrome or FireFox. Because MS only has a workaround for some systems as of their security update as of yesterday. Your system has to have a Group Policy Editor for the work around to, uh, work. But, hey, if you have Group Policy Editor, here’s the fix:
1) Tap on the Windows-key and type gpedit.msc and hit enter.
2) Use the left sidebar to navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
3) Double-click on SSL Cipher Suite Order.
4) Switch the policy to “enabled”.
5) Copy the Cipher suite order from Microsoft’s advisory page to the clipboard, and paste it into the SSL Cipher Suites form.
6) Click ok and restart your computer.

Of course, once you do this, Windows won’t connect to systems that have unsupported ciphers (not on the list you have added to Group Policy Editor) You can disable this in future if needed. Take my advice – switch to Chrome

Image source: Bounceweb.com

No comments
MelanieFreak Attack: What You Need To Know
read more

May: Scams and Viruses on Facebook and Other Security Issues

LOL Trojan Is “laughing” at the Facebook Messaging Service

Malwarebytes  is warning FB users to beware of a new scam and trojan called the “LOL” malware.  It’s a message that appears to be from one of your FB friends with a photo file attached named “IMG_xxxx.zip”.  Clicking on it allows a Facebook user’s data and login credentials to be accessed.

What to  look for…

Messages like “LOL” or “I can’t beleive someone posted this” or “OMG, have a look at this” catch users off-guard. After downloading and unzipping the jar file named IMG_xxxx.zip, the malware executes and infects your system.The jar (or Java)file itself is the agent that actually downloads a pre-defined file from a select DropBox account. This is the file that infects the user’s machine. In the background, messages are being sent to the rest of the FB user’s friends’ accounts.

This sort of attack works because it goes through several steps to evade detection and to trick the user into trusting and opening. Once on your computer it further escapes detection by injecting itself (injection attack) into a legitimate process running on your computer.

How to protect yourself

Change your Facebook password if you receive one of these and delete the message.  Then notify Facebook and your friendson a wall post.

Inside That Postal Stamp Kiosk May Be A Scam

It looks as if a fraudster gang is installing skimmers on postal vending machines across the US.  The Banking industry started issuing reports earlier this month of fraudulent activity on debit cards used on postal vending machines such as stamp dispensers.  According to the USPIS, the following warning has been urged to customers using the machines:

“USPIS recommends customers who use the APC machine should personally visually inspect the machine prior to use,” the USPIS said. “Look for any type of plastic piece that looks like it has been slid over the actual credit card reader. Look for any other type of marking on the machine that looks as though it has been applied by a third-party.”

Krebs on Security had this to advise on protecting yourself when using these vending machines:

One way to protect yourself against this type of fraud is to use a credit card in lieu of a debit card whenever possible. With a credit card, your liability is maxed out at $50 in the case of fraudulent transactions. Things get more complicated with debit cards. Although many banks also will observe the $50 limit on debit card fraud, customers could be facing losses of up to $500 if they wait more than two business days after learning about the fraud to report it. Also, while your bank is straightening out the situation, any cash you may be missing could be held in limbo, and other checks you have drawn on the account may bounce in the meantime if the fraudsters manage to clean out your checking account.

In addition, it’s a good idea to cover the PIN pad when you’re entering your PIN. Doing so effectively prevents thieves from stealing your PIN in cases where a hidden camera is present.

No comments
MelanieMay: Scams and Viruses on Facebook and Other Security Issues
read more

RansomWare Strikes Again: CryptoLocker

CLockerPic

That nasty thing above is the screen for a new, on the rise RansomWare called CryptoLocker.  We’ve discussed RansomWare before in a previous couple of posts here and here.   As a review of what this malware does – it locks your computer and then holds it for – yep, you guessed it – a ransom fee.  Hence the name.

However with this particular RansomWare it encrypts all your files and then offers, as above in the screen shot, a way to decrypt them –  for a price – anywhere from $100 – $700 or in some cases, 2 Bitcoins – 10 Bitcoins ( $450 – $2100).   In fact, with this new attack, they offer a “Decryption Service” that allows victims to purchase a “decryption key”.  Of course, that’s the last thing you want to do.  Bottom line: your files get encrypted and you may lose them forever and ever.  Amen.  …unless you have the decryption key.

How do you get infected?

CryptoWare is spread through email attachments and it ihas been noted that the hackers are targeting companies through phishing attacks.

What kind of files are  being targeted on an infected computer?

The file extensions, according to MalwareBytes, are listed below:

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

How far has this malware spread?

According to The Hacker News, “…64% of its victims are from the US.”   It targets Windows systems.

Removal:

Regretfully, there is no specific tool known to be able to decrypt and restore asymmetrically encrypted files except a private key.  MalwareBytes will detect CryptoLocker as “Trojan.Ransom” but it also cannot restore your encysted files.  Your best defense is to back up your files frequently.  And since this malware can cross through external drives such as USB and mapped drives, don’t leave X-drives mounted.   Keep your anti-virus up to date and work at using file sharing services rather than relying on email attachments.

No comments
MelanieRansomWare Strikes Again: CryptoLocker
read more

SECURITY ALERT: RansomWare Disguised As False DHS Warning

USCERT_banner

This is a special notice from CERT that we have just been made aware of: Ransomware is back but under the guise of a false warning from the Department of Homeland Security.   For a review of what Ransomware is and how it works, you might want to read our past post on this malware.

So how does this new Ransomware work?

Users who are being targeted by the ransomware receive a message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. One iteration of this malware also takes a webcam (if available) photo or video of a recipient and posts it in a pop-up to add to the appearance of legitimacy. The ransomware falsely claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division. – CERT

Reports of this particular nastiness are said to be occurring in the wild which means that this is  a malware that has been reported by at least two verifiable occurrences along with a sample submitted by Wildlist reporters (those with expertise in the field).

Advice:

  • Don’t pay the ransom
  • Notify the FBI – Internet Crime Complaint Center
  • If infected by this Ransomware,
    • Contact a skilled professional OR
    • Reformat your Hard Drive and then  perform a clean reinstall of your OS.
  • Change ALL passwords after safely removing the malware from your system to STRONG PASSWORDS.  If its easy for you to remember, its easy for it to be hacked – socially or using hacking software.

Prevention Tips:

  • Don’t click on unsolicited links in email messages.
  • Make sure your email program SCANS ALL INCOMING EMAIL MESSAGES AND ATTACHMENTS
  • Reduce reliance on Email Attachments.  Instead use Google Drive inside a protected intranet and maintain strong password usage.
  • Maintain updated antivirus and malware software.  Scan frequently.
  • Don’t pass along email chain letters. Delete them
  • Log out of all instances online.
  • Review this CERT document on recognizing Email Scams
  • Review this CERT document on Avoiding Social Engineering and Phishing Attacks.  We’ve covered this information in past posts but its always good to go over it again.

You really don’t want this on your computer.  So be safe and obey the rules of the road on this one.

No comments
MelanieSECURITY ALERT: RansomWare Disguised As False DHS Warning
read more

Safety At the Wi

WifiSOSNo, this isn’t about pool safety at the YMCA, this is about making sure you have a secure connection on an insecure connection, namely every time you connect to the Internet at a public wi-fi spot.

Wifi is a public network and any data transfer passing through can be intercepted, monitored or recorded by any number of interested parties with the right software and know how.  That means if you try to access your bank online or make a purchase or login to a web application while on a public wifi network your banking details, credit card numbers, passwords, and other sensitive data can be stolen.   So what can you do to protect yourself?

By now you may have heard the term VPN. What is it exactly?  Its an acronym that stands for Virtual Private Network, a secure , encrypted “tunnel”, if you will, through which all your online data can pass safely.  It works for any application that requires an Internet connection: be it a web browser, email client, or an IM client (chat).

Searching Google  will turn up a number of free VPN’s you can use, one  such is proXPN*, but take note, they don’t all provide the same level of protection.  If you want to be sure that you are getting as much protection as you can get, you might want to think about making the monthly investment.

* Switched-On-Sites does not necessarily endorse this service.  

No comments
MelanieSafety At the Wi
read more

MS Updates, DDoS, and the Need for Threat-Centric Security

CastleBrn

If you have read anything in the media about security on the Internet you know that attacks on the web and on web sites are increasing.   In this month’s discussion, we’ll talk about the new Microsoft Updates rolling out today,  the current news on DDoS attack increases across the web, and finally the need for threat-centric security for your website.

Microsoft Updates For Multiple Vulnerabilities

There are a number of MS products that have been discovered to have vulnerabilities among them are:

  • Microsoft Windows,
  • Internet Explorer
  • Microsoft .NET Framework
  • Microsoft Lync
  • Microsoft Office
  • Microsoft Windows Essential

All of these products have had flaws privately discovered (as Microsoft stated in their recent bulletin) that allow:

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Breaking this down, it means the Windows flaw could allow a Denial of Service (DoS) attack,  the Microsoft .NET Framework (off which several programs run) could allow spoofing through a “specially crafted XML file” that can let an attacker gain the rights of an authenticated user to access functions on your computer.  Lync, Publisher and Word all have flaws that could allow remote code execution.  Both Microsoft Visio and Windows Essential have flaws that expose potential information exposure to an attacker.  Internet Explorer has flaws that could allow a user to gain the user rights of the current user and this is especially a vulnerability for those who operate their systems solely through the administrative user.

Advice:

If you haven’t already, enable Windows Automatic Updates.  Here’s how

DDoS and DoS (Denial of Service) Attacks

We won’t dwell too much on this one except to say that it is one of the least sophisticated ways of attacking a network or a website …but its one of the most effective at bringing both down.  They have increased in frequency and severity over the last few months and industry predictions are that this trend is expected to continue.  So what can you do to protect yourself?

Advice:

Make sure your web  designer/developer or server admin has set you up with a security layer to slow down attacks and isolate and block attackers.   Give me a call at Switched-On-Sites (use our free call widget)  to discuss how I can implement this to protect your site.

Threat-Centric Security For Your Web Site

What’s the advantage of having a threat-centric security package for your web site?  With the increased capabilities of hackers to attack multiple  end points on the web, your site is always at risk.  What does it mean to have a threat-centric web designer/developer?  It means your web designer/developer has developed a proactive plan for continuously monitoring and detecting threats against your web site.  It means they know how to respond to these threats and block them.  It means that your web site getting breached isn’t the issue so much as how they respond when the breach happens.   Give me a call at Switched-On-Sites to discuss how a Threat-Centric Security Package can protect your site.

No comments
MelanieMS Updates, DDoS, and the Need for Threat-Centric Security
read more

Tragedies and Malicious Actors: Investigate Before You Send Your Credit Card

Actor

Several tragedies of recent have provided opportunities for people to reach out and give to help those affected.  Giving online has become easier because of technology and  its also becoming the means of choice.  Unfortunately, this also affords those who have a bad purpose to take advantage of tragic circumstances with scams.  According to a recent release from National Cyber Awareness System, there are already some who are trying to take advantage of the Boston Marathon tragedy and those who are willing to contribute.   How can they do this?  By registering fake domain names and fake social media accounts.  The US-CERT had this to say:

For example, Twitter account
@_BostonMarathon was created shortly after the explosions took place.
The account stated it would donate $1 for each retweet, and was crafted
to closely resemble the legitimate Boston Marathon Twitter account
(@BostonMarathon). This account has since been suspended by Twitter;
however, the likelihood that similar social media accounts will surface
remains high.

US-CERT recommends that you look to official charities if you wish to donate money to support those affected by tragedies, especially those that have recently happened, such as the Boston Marathon bombing,  the West, Texas Fertilizer plant explosion and the Beaumont, Texas Oil Refinery fire.

Use caution when clicking links or interacting with social media accounts that claim to be representing a charity for a recent tragedy or need.   Do your homework.  Check out legitimate news agencies for verification or trusted  local organizations and churches.

No comments
MelanieTragedies and Malicious Actors: Investigate Before You Send Your Credit Card
read more

Strong Passwords: Keeping Your Site Secure

SAFE2

One of the single most effective things you can do to keep your web site or other online accounts  safe at the User layer is to have a strong password.

This past week in what has been one of the larger distributed brute force attacks against WordPress sites, over 90,000 IP addresses were involved in a login break in attempt by cycling through usernames and passwords.  The hackers control about 100,000 bots according to CloudFlare.  The scope encompassed every WordPress installation on the network.

Typically in the last few months, the attacks ranged in the 30-40 thousand per day.  This past week that number jumped to 77,000 per day.

The word went out from Hostgator, a popular hosting service late Thursday night:

At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).”  (Hostgator)

I highlight this attack, which was a brute force dictionary attack, to make you aware of how important a strong password is…not just for WordPress sites, but any web site, including social media accounts.   The scope of such attacks is gaining momentum.  This attack was so exceptional in its scope that it also caught the notice of the Department of Homeland Security.

Here at Switched-On-Sites, we make it a practice to always use strong passwords on all client sites.   We also worked through the night to make sure even those passwords were updated as a precaution.  The hosting services we recommend also have taken precautions to ensure protections against this kind of attack on their end.  But its best to think of security protection in layers and you need to have every layer protected against this kind of attack and other kinds.

What is a  Strong Password?  As in the quote above, its a password that follows these requirements.  It contains:

  1. upper and lowercase letters
  2. at least 15 characters long (why do I say 15?  Because it is known that hacking software can currently break  14 characters)
  3. and including “special” characters (^%$#&@*)

So what does a typical  Strong Password look like?  The following is an example.  Please DO NOT USE IT.  IT IS ONLY AN EXAMPLE.

9##@[iX’6s@C(8s

 

So if you are not yet using strong passwords, we strongly recommend that you start doing so immediately.
Want to know about other ways we can increase the security of your site against this and other kinds of malicious attacks?  Please contact me and we can discuss a plan that will cover your needs.  Stay safe out there!
No comments
MelanieStrong Passwords: Keeping Your Site Secure
read more

Keeping Your Facebook Account Safe

Facebook

UPDATE 8/10/2014:  What to do if you are infected with Facebook Malware (includes scanner download)

As of March 2013, there are 1.06 billion users and 689 million mobile users on Facebook.  Those users  visit 42 million pages and use 9 million apps.*   That’s a lot of opportunity for hackers to get your private information and hack into your stuff.  My post today is about explaining how they are doing it.  We’re going to cover a lot of ground so play close attention.  Here’s what we’ll cover : Five ways that your Facebook account can be hacked, ‘Silent Listeners’ and a recent phishing attack on Facebook of which you need to be aware.

Five ways your Facebook account can be hacked

The following are just some of the most popular ways among hackers to get into your account.  We’ll briefly consider them and, later, what you can do to protect yourself and others.

  1. Keylogging – this is done through spyware programs and basically can monitor your keystrokes, grabbing whatever information it can including your password as you type.  Affects local and remote pcs.  Very easy for them to do. Until its removed, they can monitor everything that’s being typed.
  2. Phishing – is about obtaining sensitive user information (passwords, credit cards, etc) through some kind of fraud, usually an email or a web page that directs you to click a link or give up some information that lands in the hands of a hacker.   In this instance, a fake facebook page is created and the user is tempted to trust it and enter information through a login prompt.  Once the information is entered it is stored in a text file.  Now the Hacker has your login credentials.  There has been a recent attack of this and Facebook has been warned.  I’ll write more about that  in a little bit.
  3. Mobile phone hacking – This is similar to keylogging (discussed above) in that it uses a spyware program installed on your smart phone to capture your keystrokes.
  4. Session Hijacking – this is one where the most dangerous thing you can do to invite it is be on a non secure connection (Http:  rather than Https:).  Session hacking allows the hacker to steal your browser session cookie information which allows you to authenticate (confirms your login) on a web site, in this instance Facebook.  Session cookies are usually temporary and get deleted when you close the browser. But during their time in use, a hacker can interrupt and steal the information associated with it.
  5. Side-jacking – this is similar in goal to session hijacking but the means are different.  Using a packet sniffer, the Hacker seeks  to intercept unencrypted cookies from a website in this case, Facebook,  and exploit them over a unsecure wifi connection or LAN.  In this instance, both you and the Hacker have to be on the same connection.

‘Silent Listeners’

According to a recent 7 year Facebook study (yes, we’ve been on there that long!),  there are ‘silent listeners’ getting your information on Facebook.  Although users ( on the whole since 2009) have been sharing less information publicly (electing instead to share within circles of friends), they have had others listening in to the conversations, photos, and other shared posts.  Who are these other ‘silent listeners’?  They are the third party apps so popular on Facebook.  Yes, every time you agree to that invite from your friend to remember your birthday, read The Washington Times, play Farmville,  share music from Spotify, check-in with Foursquare or any other third party app, you are sharing your private information with them.  As noted by ThreatPost, a Kaspersky lab news agency, states:

That, along with user information given up by Facebook to entities of its choosing (law enforcement, etc.) and the information from private fields that is ultimately given to advertisers comprise a significant uptick in shared personal information that oftentimes, users are completely unaware they’re sharing. It’s these apps and entities that are ultimately likened to as “silent listeners” in the trio’s paper.

So you might want to think twice about using third party apps in the future or at least limit the ones you use.

Recent phishing attack on Facebook

As of two days ago, a new phishing campaign has been targeting Facebook users and Facebook pages.  It looks and feels like a Facebook page but what it does is ask you for information Facebook is not getting – a Hacker is.

The following is an image of the so-called “Facebook Verification page” which is a bogus page asking users/admins for the page URL/ name and your login credentials. **

Hijacking Facebook pages

Once you fill out the page the Hacker has your information to exploit for selling or his/her own purposes.

Advice:

Facebook Phishing Protection:

  • Don’t click on links in email messages – unless you are absolutely sure of the source.  And even then, its not that hard to go to the web site out side the email to check it out.
  • Don’t put personal information in an email.
  • Do not enter personal information in a pop up page (opens a new window)
  • Send suspect Facebook phish pages and emails to:  https://www.facebook.com/help/217910864998172

Facebook mobile phone Protection: When connecting through a mobile phone, use a VPN (Virtual Private Network).   If you can’t afford a business or paid VPN service, there are free alternatives.  These free services will NOT give you the same level of protection so don’t use them for sensitive data transmission like bank records and such.  VPN’s  also tend to slow down your browsing speed.  Bottom line: invest in a good VPN service.

Facebook Keylogging Protection:  This is a difficult issue because many businesses use them to monitor their employees.  So some anti-keylogger software does not filter all key loggers.  There are free anti-keylogger software and paid.  Best advice: comparison shop and make yourself aware of the pros and cons of each and your situation and need.

UPDATE 3/26/2013

One of our leading Cryptograghers,  Bruce Schneier, just came out with a post addressing social sharing changes to his blog.  Again, it concerns how your and my data is being tracked through social media buttons – often without our knowledge, most definitely without our consent.  As he states the problem…

The problem is that these buttons use images, scripts, and/or iframes hosted on the social media site’s own servers. This is partly for webmasters’ convenience; it makes adoption as easy as copy-and-pasting a few lines of code. But it also gives Facebook, Twitter, Google, and so on a way to track you — even if you don’t click on the button. Remember that: if you see sharing buttons on a webpage, that page is almost certainly being tracked by social media sites or a service like AddThis. Or both. (Schneier)***

His solution to this is to use an alternative sharing system called Social Share Privacy.  It’s a plugin that developers can use  on your site to help provide a layer of privacy between you and the trackers.  Its a 2-click system.  Its not perfect but if you don’t click, you don’t get tracked.  Here’s how it works…

The buttons are first disabled and a user needs to click them to enable them. So in order to e.g. like a site on facebook with these social share buttons a user needs to click two times. But in return for this extra click a user can only be tracked be this third party sites when he decides to enable the buttons. Using the settings menu a user can also permanently enable a social share button. (Social Share Privacy)

Our post deals mainly with security, but part of that includes how much information you want third-party apps to be taking and sharing with Big Data storehouses as well.  I’ll be writing a bit more about that in a future post.

But for now,  give Switched-On-Sites a call and allow me to help make your web site secure and your information private while you do business on the web.

*Figures provided by Digital Marketing Ramblings

** image src: The Hacker News

***Schneier on Security

No comments
MelanieKeeping Your Facebook Account Safe
read more