Current Location: Home / 2008 / Archives for August 2008

Elaborate Facebook Worm…

August 15, 2008 By 1 Comment

I was just talking to Brent Worley and he was telling me about a friend of ours that had their Facebook Account Hacked somehow and they were wall posting executables, etc.

I have been pretty busy lately and hadn’t heard of anything like that out there so I did a little research and came upon this on Techrunch, pretty interesting, I guess I never really gave a whole lot of thought toward malware inside of social networks, etc.  If Facebooks developers are having to deal with this can you imagine what all is going on inside of MySpace? ha…

Update: Facebook responds to malware attacks.

Facebook malware attacks to date have largely consisted of getting user credentials via phishing sites and then spreading spam and additional phishing attempts. But a new worm is disseminating through Facebook that aims to install trojan software on a user’s machine.

The worm spreads when a compromised user’s account is used to send message to others with a title such as “LOL. You’ve been catched on hidden cam, yo:” and a link to a random URL. The linked website is a YouTube-like page that shows a video player along with what looks like a standard browser message to update your Flash installation. Clicking on the button begins a malware installation of a file called “codecsetup.exe.” We didn’t go so far as to install the software, but our guess is that it zombies your computer, installs a keylogger, and other fun stuff.

A nasty feature of the worm is that it takes the profile picture of the sending infected user and adds it to the linked website. This makes it all look much more legitimate for the potential victim. Facebook users are notoriously naive when it comes to security awareness, and a certain percentage of users will always end up falling for this kind of social hack. There’s little Facebook can do other than attempt to filter out the landing website in messages.

Elaborate Facebook Worm Virus Spreading

Filed Under: Social Media / Web 2.0 Tagged With: ,

Brian Gardner Media / WordPress

August 15, 2008 By Leave a Comment

I am pretty excited today about a new addition to my development arsenal.  I was showing my partners Brian Gardners Premium Revolution / WordPress products  and how they function this morning and we decided to purchase his entire collection from him as well as access to any further works that he releases in the future.

I have used Brian’s themes in the past and they are top-notch!  In my opinion labeling Brian’s Revolution Themes as “themes” is somewhat of an injustice because when I think about themes I think about the typical run of the mill free downloads that are available all over the web and you just take them as a “starter” and hack them to meet a projects requirements.  But the Revolution Themes have a lot more to them, they actually come with a lot of cool features built into them like tabber.php and a few other “eye candy” applications that clients seem to enjoy, plus it’s a huge time-saver for us from a development perspective.

I was doing a little research on Brian’s personal website today and found out that he is a Christian and lives in Chicago.  He has only been in the industry for a short time but has already established himself and his online business as one of the top theme developers and wordpress gurus in the industry.  I am soo anxious to access his collection!  Here’s a little information about Brian Gardner Media…

Filed Under: Social Media / Web 2.0, Web Development, Wordpress™ Tagged With:

Plaxo Keeps Getting Better…

August 15, 2008 By Leave a Comment

I have been a premium Plaxo user since the company started.  Since my business interests are primarily B2B (Business to Business) Service Providers, my contacts literally are my bread and butter.  I have somewhere in the neighborhood of 2500 contacts after I recently audited it, being able to keep track of these folks over the years and maintain a relationship with them has been a huge asset to me. Plaxo is a huge part of that equation. 

Recently Plaxo sold to Comcast and is now a part of their Media Group.  Over the past year or so Plaxo added a new feature called Plaxo Pulse that enables you to keep in touch with your contacts even better.  Since today’s landscape consists of social networks on top of social networks, the two big examples being Facebook and MySpace, it’s even more and more important to stay on top of your contacts inside these networks.  I am currently working on a project with a client that uses Facebook a lot to communicate regarding the project.  This is not uncommon, I actually have two projects right now that are working through Facebook.  A year or two ago I would have laughed at the idea. 

With Plaxo Pulse, you not only stay in contact with and connect to your business acquantances, classmates, friends, and family but you also stay in the loop with what’s going on in their world.  Pulse incorporates all of the top social media networks into one easy to track location.  I am not aware of anyone else really doing that right now effectively or as comprehensively as Plaxo has done.  If you aren’t already on Plaxo, at least the free version, I recommend giving it a try and synchronizing your Outlook Contacts, if nothing else, it’s a great tool for backing up your Outlook but I think once you have an opportunity to see what kind of a tool Plaxo is you will love it. 

I have talked about Plaxo on here a few times in the past but here’s a little more information in case you aren’t already familiar with them…

We started with a different kind of address book, one that leverages the power of the network effect to stay up-to-date. We securely host address books for more than 40 million people (and growing rapidly).

And now, we’re bringing those address books to life with “Pulse,” a new way to enrich your connection with the people in your life. Pulse is a bit like some social networks you’ve heard of, but it’s different in several key ways…

First, Pulse is not a place to see how many online “friends” you can collect. It’s meant to be a better way for you to stay in touch with the people you actually know and care about — your family, your real-world friends, and the people you know from business. Pulse makes it easy for you to see what they’re creating and sharing online — their blogs, the photos they’re uploading, their restaurant reviews, and so much more.

Second, Pulse is not a “walled garden.” It’s a dashboard for seeing what the people you know are creating and sharing all over the open web. You can hook your Pulse account up to all the places where you create or share stuff (your blog, Flickr, Twitter, Yelp, and more than 30 other sites).

But “open” does not mean “public.” With Plaxo, you have fine-grained control over what you share with whom, whether that’s your contact info — or your photos from last weekend. Our privacy policy is one of the strongest out there, and we are full supporters of the Bill of Rights for Users of the Social Web.

We are dedicated to the notion that your address book, your friends list, and your content belong to you, not to us. We make it easy for you to take them with you wherever you go and to use them with an ever-expanding array of sites, applications, and devices.

And just recently, we became a subsidiary of Comcast Interactive Media, with a plan to have Pulse become central to creating a unified “Social Media” experience across the Web and TV (and more). Plaxo remains an independent operation in Silicon Valley, serving our worldwide customer base. To learn more, read the announcement blogpost.

Source: www.plaxo.com

Filed Under: Email Solutions, Miscellaneous, Social Media / Web 2.0 Tagged With: ,

Adding Form to DB Record in PHPR

August 14, 2008 By Leave a Comment

I recently had a pretty intensive PHPR project where I had to create a page for a client that called in records from their database as well as displaying a form that visitors could us to contact the “name” and “email” from that particular record.  In theory this isn’t a complicated thing to get your mind around but I found that building this in PHPR *PHPRUNNER) was going to be a task for a couple of reasons. 

I have had a fellow PHPR user drop me a note and ask me to document how I put all of this together so I figured I would do so here.  I am going to prepare some documentation later on regarding two aspects of this project and post them to the PHPR forums later once I have a chance to document everything a little bit better…

The biggest thing that I ran into was issues with Smarty Templates and just inserting a standard PHP Form into them, that was a no-go all the way around for the most part, I did stumble on some ways to do this if anyone is interested but I ultimately didn’t use this on this project.  I went back and forth with Jane from Xlinesoft for a while and she was awesome in helping get my mind around this, she also really helped me out a lot with some javascript features that the client was wanting to have with their photo gallery.  Xline is awesome!  If you build web portals with PHP/MySQL you owe it to yourself to checkout PHPR!

Here’s how I was able to get this particular process to work.  I created a new table in the database to store the visitors (people requesting information) information in.  I set my permissions so that public could hit this form and store data into it (with validation).  Once I created this table and generated it’s add page in PHPR I then went and added that code to the already generated view page from PHPR of the records that I wanted to also have this form on.  I then coped my form code into the view page at the appropriate place and saved it out.  It took a little while inside the visual editor’s code view to get this to work exactly right but I eventually was able.

The very next part was probably the trickiest to figure out inside of PHPR because if you are familiar with PHPR you will know that you primarily are working with generated smarty pages.  In order to add some logic to the form I added this event code in the event editor, (after record added)

 

   1: // Parameters:
   2: // $values - Array object. 
   3: // Each field on the Add form is represented as a 'Field name'-'Field value' pair
   4: // $keys - Array object with added record key column values
   5: // target_email and target_name are called from the existing database
   6:  
   7:  
   8: //**********  Send email with new data  ************
   9:  
  10: $email="".$values["target_email"];
  11: $message="";
  12: $subject="Resort Inquiry - ".$values["target_name"];
  13: $from="Client's Name <info@clientsdomain.com>";
  14:  
  15: foreach($values as $field=>$value)
  16:     $message.= $field." : ".$value."\r\n";
  17:  
  18: //Headers
  19: $headers = "To: " . "\r\n";
  20: $headers.= "From: $from" . "\r\n";
  21:     
  22: mail($email, $subject, $message, $headers);
  23:  
  24:  
  25: //**********  Redirect to another page  ************
  26: header("Location: http://www.clientsdomain.com/confirmation.php");
  27: exit();

 

After I added this and tested the form it was working great.  Here is something that I probably need to make sure I mention.  In my trials building this particular app, I learned that i had to go in and predefine the value for 2 hidden fields in the form, one was the “name on the record” and the “email on the record”.  Once i had this part knocked out everything worked great.  This is pretty good to know because there wasn’t a whole lot of information on the forums when I started trying to build this particular app and I had to hunt around and find info from various places.  As I mentioned, Jane at Xlinesoft was awesome to help me out with this project.

Filed Under: Web Development Tagged With: , ,

Sad Day in Arkansas…

August 13, 2008 By Leave a Comment

It’s a sad day in Arkansas, Bill Gwatney was shot and killed today in Little Rock.  I had the opportunity to meet Bill a few years back while I served as a consultant to a state commission and he left a great impression on me.  I think that he may have still been a State Senator serving his last term when I first met him. I remember that while getting to know him initially I had no idea that he was the same Gwatney that co-owned all of the Gwatney Auto Dealerships in Arkansas, he just seemed like a really intelligent, down to earth guy with a sincere love for the state and a knack for public service.  (…anyone who knows me, knows that I have an uncanny “Forrest-Gump-Like” ability to end up places and meet really cool people like this and find out later who they are, this is another one of those rare cases…)

The last time I ran into him was a few years later I guess, I think he was working with Governor Beebe’s campaign in some capacity at the time and I was in Little Rock for a meeting and I ran into him and said hello while we waited in line to order lunch. It’s a shame that an accomplished businessman, husband, and public servant had to leave this world in this manner.  It just goes to prove that you never know when it’s your time and you should live your life ready.  I know he’s going to be missed by his friends, family, staffers, and a ton of Arkansans.  My wife and I send our thoughts and prayers out tonight to his wife and two daughters.  It’s a sad day in Arkansas…

News Source: News & Updates Regarding the Shooting – KTHV

Filed Under: Miscellaneous

WordPress for Iphone

August 13, 2008 By 1 Comment

I was just on the WordPress site looking through the plugins database and noticed where they have the new WordPress for Iphone App available for download from the Apple App Store.  As I am sure a lot of you already know I am a huge fan of the WordPress Project and have been for a long time now, needless to say this new app really excites me.  Not only is it huge in the respect that a lot of our clients that are running WordPress installations can now update their websites with their Iphones but it is also pretty big, in my opinion, to the growth of the WordPress platform.  This added flexibility for WordPress should go a long way toward making it one of the most popular content management systems on the market today.  Here’s a little info on the Iphone app.

Introducing the first Open Source app that lets you write posts, upload photos, and edit your WordPress blog from your iPhone or iPod Touch. With support for both WordPress.com and self-hosted WordPress (2.5.1 or higher), users of all experience levels can get going in seconds. Download it now!

Filed Under: Web Development, Wireless, Wordpress™ Tagged With: ,

Projects: Ownership Resorts (phase one)

August 13, 2008 By Leave a Comment

I am a little behind on updating my blog with some of my latest projects, sorry.  Thanks however to those of you who emailed me to make sure I wasn’t eaten by a shark on vacation!  I recently completed a project for a new client, Ownership Resorts.  If that name sounds familiar to you, it’s probably because these folks are primary sponsors on the Outdoor Channel’s RV Television Series.  I actually caught their commercial the other day and was quite impressed at how well they are promoting the project.

This project is basically an online database of RV Resorts across the United States and Canada that offer RV Lot Ownership as an option.  This is a pretty basic database with basic information about each resort including a few thumbnails for each resort. The client had a very specific look and feel in mind for the project so to accommodate his vision I relied heavily on some of my strategic partners and a few other developers to assist me in some new territories that I haven’t spent a lot of time working with in the past.  You will see a couple of cool JavaScript things in the solution as well, for example the photo mouseover effects accounted for an entire day to get it just right, but it was worth it in the end because the finished product is pretty cool. 

Another aspect of the project was the Resort Form Events.  When a visitor views a database record for e resort you will see that there is also a form located on each page.  I wrestled with a couple of ways to accomplish this but my friends at Xlinesoft (primarily Jane) convinced me that adding a new database table to store the leads in as opposed to just passing through the data was the best option.  In hindsight she was 100% right.  At first the client didn’t need to store this information, but after some consideration he and I both agreed that this was in his best interest to do so. Coding the Database Record View pages using Smarty Template Engine was another task all in itself.  There are just some things in Smarty that are a little different when it comes to inserting scripts into the .htm file.  I learned a lot about Smarty during this project as well as further my knowledge of PHPR IDE, it was definitely a time saver on this project. 

If you would like to take a look at the first phase of the Ownership Resorts Project, click here… I will probably release an official press release about the website over the next week or so, stay tuned…

Filed Under: Current Projects Tagged With: ,

PHPR Project Management

August 11, 2008 By Leave a Comment

I found this interesting post on the Xlinesoft forum tonight. (Best Practices) It relates to Best Practices for using PHPRunner & Subversioning.  I currently don’t have a use for this in anything I am working on but thought that it was pretty interesting so I decided to include it here…

——————————————————

1.0 Summary:

Setting up an SVN Repository significantly increases manageabilty of large scale projects using PHPRunner across many environment instances and developers. SVN Repository will also encourage companies to use PHPRunner to be used in larger scale projects. The output codes can be deployed based on the subversions and the config file can be determiend upon staging.

2.0 Case Statement

I have a project that is used in the development and live environment. Initially, it was not an issue since the db schema was synched. As the the dev version is release to production, and additional tables were added to the dev environment, I found it almost impossible to manage the project with my simplistic approach. What I ended up doing was for each instance of the development (dev, test, stage and live), I created seperate projects. so, I now have 4 individual projects. Our european counterpart saw our US project and of course, they requested for each of their instances which of course was about 6 all together. So, now I have a total of 10 seperate project for each db instance of our development phase. In my mind, the only difference is the config (i.e., host, user, password and db name).
For awhile, I would just select one of the projects, make my modifcations, and then save as for each instance of the project. This worked for awhile.

The problem started to occur when we went live the first time. There were enhancements that I wanted to make for the production version. Meanwhile, the db schema in the development and test instances started to change. So, I found many of my links started to break. So, I could no longer just simply Save As. The next step was to Cut and Paste.
I stopped Saving As, and started doing the following. I would make the changes in one of the most complete instance which usually was the development instance since its where the new tables are comming from. Then, I would open another PHPRunner and open one of the other instances that I wanted to update. Of course, I couldn’t update all since some of the test and stage instances have not been updated.

As a result, there was chaos in my codes. I no longer didn’t remember which project belonged to what instance. I didn’t know which one got updated and which ones are the same and which ones are broken. In other words, the project(s) became extremely unmanageable.

3.0 Analysis

This is a typical result when what seemed to be an easy process ended up entangled. Many times, the simpliest approach many not be the wisest approach and could cause havoc on project and resource management. The criteria for a simple project is if the proejct is being developed by a single develper on one or two instance of the same project. Both db instance must be synched for most of the time or at least a push to keep it in synched. As soon as a third unsycnronized db instance is introduced, then it can no longer be considered as a simple project management case. In order to avoid the pitfall of the case statement, one must ensure scalability, flexibility of code management, as well as the deploy process.

 

4.0 Approach

4.1 Set-up

The way to resolve the issue was we deployed a subversioning tool, SVN with a UI frontend, Tortoise. We created a project folder in the SVN Repository and a trunc.
I selected the best “version” from the projects, which we’ll call ProjectPHP. I then looked for the PHPR project file and copied that and the tmp and visual folders into my SVN trunc folder (which was also in my local apache htmdoc webserver path). I opened PHPRunner, make the changes I wanted and Save. I am now saving the PHPR file into my SVN trunc folder that is also within my apache webserver folder. I set my output file directly onto my trunc folder and I set the preview with the localhost url. I build the projects.

4.2 Work Process and Project Management

If all goes well, all the output files is created within the trunc folder. I use the preview just to see if anything was broken. When I am satisfied with the changes, I close PHPRunner and then go to the trunc folder. I delete the tmp and visual folder since I discovered that once I successfully build an output files with the tmp and visual folders, I can erase those two folders. Somehow, when I open PHPRunner and build it again, PHPRunner knows where to look for those tmp and visual folders. Also, for some reason even if I delete these folders, when I go to my Visual Editor, I can still see all the icons.

I committ all the files to the SVN Repository. (Note: It’s realy easy to do it using Tortoise SVN). I know have a trunc of my project. I then check out a Working Copy. This is a good idea since you don’t want to mess up your trunc version since it will always be your “base copy” of the code. In my working copy, I can open PHPRunner and open that particular project file. It works beautifully. All the icons show up in my visual editor. I can change the db configuration so that I am developing to the relevant instance of the database. Once I am done, I save my I used the Live instance of db to create or update the project. Once I was satisfied, I save my project which was the latest and greatest of the codes that I have been chaotically managing. Once we created the trunc, we created tags and branches.

I checked out the trunc into my Working Copy folder. For now, my WC is pointed towards the trunc. For every major milesone I reach, I create a Tag. The naming convention for the tag is usually the date and some task indicator like Dec102008_Task_1of3 or some other meaningful naming convention. I continue with my work on my WC until I complete all my tasks. By now, I have 3 tags, since I created them for each milestone.

I then committ my changes into the SVN Repository. Since I was pointed towards the trunc, it updated the Trunc. But since it is also a completion of a version of ProjectPHP, I created a Branch and called it Revision 1.0. This is my first “subversion.”

For now, I can continue to make small modificaitons or bug fixes to Revision 1.0. It is important to note that I am working constantly on my WC (Working Copy). Basically, I can “Switch” the WC to the trunc, tags or branches. When I am working on Revision 1.0, I will make tags along the way in order not to lose any of my codes in cases I mess up further along the way. There is a stopping point. Once I am done with my changes, I create a subversion Revision 1.1

Note: Please refer to the sources link below for more detailed subversion workflow.

4.3 Deployment

For every completed revision, I test it in the Test, QA, Stage environment. And once it passes all 3, then I deploy it to Production. We created a page that allowed me to selecte which subversion I want to deploy and the “dbcommon” version that I want to use. Since in PHPRunner, the db information is part of the editing the project, when it builds the file, it also builds the dbcommon that has all the db information (user, password, etc.). So, when there is a different db login for each instance, you will have to specify the correct “version” of the dbcommon. All I did was to create one dbcommon as a “trunc” and then created all versions of that for each instance of the db.

Whenever I deploy, I select the code that I wanted to put into dev, qa or stage, and select the appropriate dbcommon. It is a dropdown. The staging process basically takes all my files which are the output files and overrides the dbcommon with whatever “version” of the file I select. Remember the version is realy just to be able to have all the dbcommon for all the instances.

Also, there is one caveats for those that may want to have a others use the project for each of the instance. So, say if you have a Live version with the old db schema. So the Live version is Revision 1 and all the subversions. The active development is already on Revision 3, for example. And you’ve made some changes on Revision 3 and deployed it to your develpment and stage instances (and not Live of course, because the latest db has not been deployed to Live).

Since you still want to test and stage your Revision 1 code, you can deploy the codes to the development and test environments but use the db instance that has the matching schema (usually by now, it will be just the Live version). Notify the folks using the tool that you’ll be testing and staging a production fix and therefore need to log out. Once you verify in test and stage the codes, deploy the code to Live. At this point, unless there are major functionality and not just small fixes, you may have to merge it with either Revision 3 (the latest and greatest version of your project) or back to the Trunc.

I suggest not to do this however. I would just leave Revision 1 and all its subversions where it is. It is easier just to make sure that that functionality is copied over to Revision 3 and then merged back to the trunc (since Revision 4 may be under way).

5.0 Conclusion

When you use SVN with Tortoise and set up the appropriate subversions, your project with multiple developers and instances can be manageable, as long as everyone understands the subversioning principle. Keep the PHPR file with the output files and delete the tmp and visual folders once you have successfully built a project within the svn file folder. The PHPR file gets subversioned as well. In other words, it becomes protected for any accidental mistakes (like I have done so many times with my manual management of my php projects.)
I hope this post will encoruage to use PHPRunner at a large scale basis and will encourage the makers of PHPRunner to make it more and more robust.

6.0 To Do’s

  • Set up URLs for each project intance (dev, test, stage, live). These corresponds to the db instances.
  • Set up SVN repository
  • Set up staging page. There will be a list of the environment where the codes will be deployed, a list of the code version to deploy, and the dbcommon version to override the dbcommon built along with the PHPRunner.
  • Set up Project Folder then /trunc, /tags, /branches (Please see the link and study the manuals)

Resources Links:
SVN
Tortoise

Filed Under: Web Development Tagged With: , , ,

Remote Access Solution: LogMeIn

August 10, 2008 By 4 Comments

My friend Garth told me about LogMeIn a while back but I have only recently started using it on my office systems and I have to admit that it’s a great product.  It’s very easy to setup and using it remotely actually works better, in my opinion, than RDC.  I wish I would have had this going while I was in Destin last month and my Test Server went down for Windows Update and didn’t bring back up some of my apps… 

Remote Access Solution: Learn More About LogMeIn

Filed Under: Miscellaneous Tagged With:

Hackers Exploit DNS

August 6, 2008 By 1 Comment

Just saw this reported on CNN this morning.

SAN FRANCISCO, California (AP) — A giant vulnerability in the Internet’s design is allowing criminals to silently redirect traffic to Web sites under their control. Criminals sent Internet users in Texas to a fake Google site. The page’s program automatically clicked on ads. The problem is being fixed, but its extent remains unknown and many people are still at risk.

The gaping security hole enables a scam that targets ordinary people typing in a legitimate Web address. It happens because hackers are now able to manipulate the machines that help computers find Web sites.

If the trick is done properly, computer users are unlikely to detect whether they’ve landed at a legitimate site or an evil double maintained by someone bent on fraud.

Security experts fear an open season for virus attacks and identity-fraud scams.

“It’s kind of like saying, `There’s a bunch of money on the street. If you can get over there soon enough, you can get it,”‘ said Ken Silva, chief technology officer for VeriSign Inc., which manages the “.com” and “.net” directories of Internet addresses. “It’s something the industry is taking seriously. You’d be in a bad place if you weren’t doing something about it.”

The bug’s existence was revealed nearly a month ago. Since then, criminals have pulled off at least one successful attack, directing some AT&T Inc. Internet customers in Texas to a fake Google site. The phony page was accompanied by three programs that automatically clicked on ads, with the profits for those clicks flowing back to the hackers.

There are likely worse scams happening that haven’t been discovered or publicly disclosed by Internet service providers. “You can bet that the (Internet providers) are going to stay tightlipped about any attacks on their networks,” said HD Moore, a security researcher.

The AT&T attack probably would have stayed quiet had it not affected the Internet service of Austin, Texas-based BreakingPoint Systems Inc., which makes machines for testing networking equipment and has Moore as its labs director. He disclosed the incident in hopes it would help uncover more breaches.

The underlying flaw is in the Domain Name System (DNS), a network of millions of servers that translate words typed into Web browsers into numerical codes that computers can understand.

Getting from one place to another on the Internet typically requires a trip through several DNS servers, including some that accept incoming data and store parts of it. That opens them up for potential attack.

What this means is that a computer user in say, San Francisco, might type www.yahoo.com and head straight to the real Yahoo site, while at the same moment, a user in New York — whose traffic is routed through different DNS servers — might type that same Web address and end up on a phony duplicate site.

Scant details have been available about how the vulnerability works.

The researcher who discovered it, Dan Kaminsky of Seattle-based computer security consultant IOActive Inc., announced July 8 that he’d found a major weakness in DNS.

But he kept the rest secret because he wanted to give companies that run vulnerable servers a month to apply patches — software tweaks that cover the security hole. He coordinated with Microsoft Corp., Cisco Systems Inc., Sun Microsystems Inc. and other major vendors to simultaneously issue patches.

He got two weeks before bad guys and good guys alike accurately guessed the basics of what Kaminsky discovered.

It is this: By adding bad information to the packets of data zooming in and out of certain DNS servers, hackers can swap out the address of a legitimate Web site and insert the address of their malicious Web site instead.

A compromised server believes it’s sending people to the authentic site. And if the bogus site is designed well enough, users don’t know the difference, unless the site starts behaving weirdly.

Some clues might come if a page, like a banking Web site, is usually protected with Secure Sockets Layer, or SSL, which verifies a site’s owner and shows a padlock icon or a green address bar inside the Web browser. The padlocks in particular, however, are not always foolproof, because scammers can spoof them.

Just how widespread the attacks have been is hard to tell. The evidence of tampering can disappear before an Internet provider even learns there’s a problem.

The patching of DNS servers has accelerated. Kaminsky said 84 percent of the servers he tested at the beginning of the process were vulnerable. That has dropped to around 31 percent.

Still, Kaminsky said some administrators of computer networks might not patch their machines until they come under attack. Others didn’t patch immediately because they had to spend days or weeks testing the repairs.

That was the case with AT&T, which said the breach affected just one of its servers, a machine that was scheduled to be taken off line anyway. AT&T says it has fixed the problem.

More details about the vulnerability are expected to emerge Wednesday, when Kaminsky speaks at the Black Hat computer security conference in Las Vegas. The conference and its sister event, DefCon, draw researchers, government investigators and corporate executives eager to learn about new vulnerabilities and how to protect against them.

“There might be one or two things that haven’t leaked yet,” Kaminsky said with a snicker. “No one should even think they know the subject of the talk.” DNS attacks aren’t new. But Kaminsky discovered a way to link together some widely known weaknesses in the system, so that an attack that would have taken hours or days can now take only seconds.

“Quite frankly, all the pieces of this have been staring us in the face for decades, and none of us saw it until Dan put it all together,” said Paul Vixie, president of the Internet Systems Consortium, a nonprofit that publishes the software inside most of the world’s DNS servers.

“This is the mother lode all right, from the point of view of Internet criminals looking for easier access to other people’s money and secrets.”

Hackers create fake sites through Internet flaw – CNN.com

Filed Under: E-Commerce, Web Development, Web Hosting Tagged With:
« Older Posts
Newer Posts »