Posts tagged found

Found appoints Kirsty Hulse as head of SEO – The Drum

Found appoints Kirsty Hulse as head of SEO
The Drum
Formerly search strategist at DigitasLBi, where she worked for six years, Hulse has defined search strategies for global brands such as Danone and the Arcadia Group and advised numerous SMEs and ecommerce start-ups. A regular speaker at SEO industry …
Found lures DigitasLBi SEO brightspark to lead SEO teamEconsultancy (press release) (blog)

all 2 news articles »

View full post on SEO – Google News

Lost and Found: How Top E-Commerce Brands Stack Up With Site Search

Recent analysis by the Baymard Institute shows top e-commerce brands fall short with site search results and highlights the need for brands to better assist shoppers in their path to purchase.

View full post on Search Engine Watch – Latest

Thoughts on 404 Not Found Error Pages by @michielheijmans

Have you ever wondered why you should have that 404 Not Found page? What’s the use? The page is gone or broken and you don’t want people to end up there, so why not just redirect that page to the homepage of your website? They even made WordPress plugins that will help you do this, so why not, right? Wrong. What you’re basically doing is putting people on a train they did not choose themselves. If I want to go to Paris, why send me to London instead? If a visitor wants to find a certain page on your website, […]

The post Thoughts on 404 Not Found Error Pages by @michielheijmans appeared first on Search Engine Journal.

View full post on Search Engine Journal

AdWords Click Fraud Service Found Using Google’s Trademark, Promoting Itself On YouTube

How’s this for brazen? For at least two years, a Russian hacker has been running a cheekily-named click fraud service called GoodGoogle, promoting it in videos on Google’s YouTube and using Gmail accounts to correspond with customers. Online security expert, Brian Krebs, recently…

Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

SearchCap: Google AdWords Editor, Direct Is Organic Traffic & America Movie Not Found

Below is what happened in search today, as reported on Search Engine Land and from other places across the web. From Search Engine Land: “America” Movie Filmmaker Sends Legal Demand For Google To Fix Showtime Results The Hollywood Reporter writes that Dinesh D’Souza’s movie,…

Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

Critical Vulnerability Found In Popular WordPress Newsletter Plugin by @mattsouthern

Web security firm, Sucuri, found a critical vulnerability in a WordPress plug-in that has over 1.7 million downloads. The vulnerability allows potential attackers to take complete control of blogs that have the plugin installed. The vulnerability was found in the MailPoet Newsletters plug-in, previously known as wysija-newsletters, and should be taken very seriously. This bug should be taken seriously; it gives a potential intruder the power to do anything he wants on his victim’s website… It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, hosting malware, […]

The post Critical Vulnerability Found In Popular WordPress Newsletter Plugin by @mattsouthern appeared first on Search Engine Journal.

View full post on Search Engine Journal

Major Exploits Found in All in One SEO Pack WordPress Plugin

If you use the popular “All in One SEO Pack” WordPress plugin, you should update immediately. Vulnerabilities have been discovered that could get you kicked out of Google’s search results, or leave you open to JavaScript injection attacks.

View full post on Search Engine Watch – Latest

Serious security hole found in SEO plugin used by millions of WordPress users … – Graham Cluley Security News

Serious security hole found in SEO plugin used by millions of WordPress users
Graham Cluley Security News
If so, you need to update the plugin as soon as possible to the latest version. The All in One SEO Pack plugin is a very popular choice for webmasters who wish to boost their WordPress-powered site's position in search engine rankings. Indeed, over 18 …

View full post on SEO – Google News

SEO Secrets for Multi-Location Dealerships: Getting Found by Your Local … – Dealer Marketing Magazine

SEO Secrets for Multi-Location Dealerships: Getting Found by Your Local
Dealer Marketing Magazine
Do you have more than one car dealership, each in a different region or town? If so, you've probably wrestled with the predicament of optimizing each of your locations to compete at the local search level. And with the rising importance of local SEO

View full post on SEO – Google News

How Codenomicon Found The Heartbleed Bug Now Plaguing The Internet

You know that song lyric about the first cut being the deepest? It’s complete rubbish. Heartbleed taught us all that. Because the more we learn about this online data-security wound, the deeper that threat seems to go. 

Discovered independently by Google engineer Neel Mehta and the Finnish security firm Codenomicon, Heartbleed has been called “one of the most serious security problems to ever affect the modern web.” I spoke with Codenomicon CEO David Chartier, who led the Finnish team that named and outed Heartbleed, to find out more about how his team discovered it, and how deep those vulnerabilities could go. (I’ve requested an interview with Mehta via Google, but as of this writing, have had no response so far.)

We All Bleed For Heartbleed

Codenomicon's David Chartier

Codenomicon's David Chartier

Heartbleed actually started out really small. In fact, it was just a slight, accidental gaffe committed by one coder. Had it been caught immediately, it would have required just filling in a missing bit of code. But it wasn’t. And now, that error has propagated to compromise much of the Internet. 

The main problem is it that affects OpenSSL, a widespread open-source security protocol used by as much as two-thirds of Web servers. The other issue is that it went largely undetected for two years—plenty of time to perpetuate across the Web and leave sites, services and accounts big and small open to infiltration. (As the National Security Agency has reportedly done, although the White House has denied that.)

The initial flood of news reports focused on the hackability of user logins, financial information, emails, photos, medical records, and much more. But Heartbleed’s reach could be bigger than anyone imagined. The OpenSSL flaw affects any server or client that uses it, and that means it could span a huge number of things—including routers and phones, as well as citywide or municipal infrastructure, such as emergency services, transit and utilities. 

How Heartbleed Surfaced

Codenomicon first discovered Heartbleed—originally known by the infinitely less catchy name “CVE-2014-0160”—during a routine test of its software. In effect, the researchers pretended to be outside hackers and attacked the firm itself to test it. 

“We developed a product called Safeguard, which automatically tests things like encryption and authentication,” Chartier said. “We started testing the product on our own infrastructure, which uses Open SSL. And that’s how we found the bug.” 

The engineers found they could burrow in despite the cryptographic security layer, and were shocked at how much was up for grabs. They could access memory and encryption certificates, and pull user data and other records. “This is when we understood that this is a super significant bug,” Chartier said. 

The revelation was startling, not only because of the access this hole could allow, but because of its insidious nature, Chartier said. “On top of that, we couldn’t find any forensic trail that we were taking this data.” The hack was completely untraceable.

But how did something this egregious and widespread go on undetected for two years? The error is buried in the code. The only reason Chartier’s team found the glitch is because Codenomicon uses a rigorous testing process using a very large number of test cases to find weaknesses, just like hardcore hackers do, Chartier explained.

“The vulnerabilities you find after many tests are often more interesting than the ones you find right away,” he said. “When you find one that’s difficult, it’s more interesting [to hackers] because they can write an exploit, and it will take more time to be found.” 

The odds of finding it were slight, yet Google’s Mehta discovered the Heartbleed bug almost simultaneously. Chartier chalks it up to happenstance. “Google’s one of the leading companies in the world, and it’s constantly testing for vulnerabilities,” he said. It takes security testing so seriously, it even offers a bounty for exploits on projects like Chrome. 

But not every company takes security that seriously. 

A Fail To Remember

Codenomicon, being a Finnish company, alerted the Finnish National Security Cyber Center of its findings. Commonly referred to as “CERT,” the group urged the OpenSSL Project to provide an update and release it to the public.

Since then, the news has been circulating in both tech and mainstream media outlets, and Chartier has been impressed with how online communities have disseminated the Heartbleed information. “We’re better off today than we were a week ago, because of getting the word out there,” he said. “It’s making the Internet safer and more secure.” 

Unfortunately, the Web is not where this problem ends. Other networks also need to apply the software update in both server and client devices. This includes gadgets like phones, computers and other communication devices. It also include numerous other technologies in the broader world, particularly as it relates to the Internet of Things. 

Because Heartbleed affects OpenSSL, which is widely adopted, it can affect an extensive range of categories, including connected homes, citywide transportation, emergency services, power grids and other utilities—pretty much any large scale, connected systems. This can make locking all of them down tricky. 

Organizations must update to the patched version of OpenSSL, revoke encryption certificates that authenticate their sites and issue new ones. But systems that haven’t gone through security and system testing may not be set up to handle update protocols efficiently. “There’s a lot of stuff out there that was built a long time ago,” said Chartier. “It wasn’t built for the type of stuff that’s coming out today.”

Security tests are essential for critical infrastructure, but unfortunately, there’s still a lot of room for improvement. “A lot of companies do a little performance testing, to see if [software] does what it’s supposed to,” he said. “But they don’t do enough security testing.”

Chartier thinks it could take up to a year or two before all or most of the old versions of OpenSSL out there get updated. In the meantime, things may get tricky.

At this point, many—though not all—of the largest vulnerable sites on the Web have patched OpenSSL against Heartbleed. With some of the smaller service providers and businesses, it may take a little more time. The most prudent users may want to assume that their data was compromised, and change those passwords on every site and service that has been secured. The Codenomicon chief recommends going through each provider, one by one, and “finding out if they used OpenSSL, and if they patched it.” 

As for the companies and organizations, Chartier urges them to adopt more stringent security standards. “You need to put this type of testing into your build cycle,” he said. That’s the best chance at mitigating the risk—so threats don’t penetrate quite so deeply. 

Feature collage by Adriana Lee for ReadWrite using images courtesy of Flickr user Marjan Krebelj and; heart lock image by Flickr user Alonis; David Chartier image courtesy of Codenomicon

View full post on ReadWrite

Go to Top
Copyright © 1992-2015, DC2NET All rights reserved