Saturday, January 20, 2007

Designing IE Exclusive Sites Is Counterproductive And Puts Your Visitors At Risk

By Coenraad De Beer

Ever came across a notice reading: "This site has been optimised for Internet Explorer" or "This page requires Internet Explorer?" Did you ever have trouble opening a specific page and when you sent a complaint to the web master, you got a blunt answer: "Please ensure that you are using the latest version of Internet Explorer when visiting our site." So many web designers still use this outdated practice of designing web sites exclusively for Internet Explorer (or any other browser for that matter).

Excuse me for being so forthright, but designing a web site exclusively for a specific browser is downright stupid. The time when the Internet was monopolised by a single browser is long over. Internet Explorer, Firefox, Opera and Safari are some of the most popular browsers used by surfers today, with Internet Explorer and Firefox taking up the biggest part of the browser market share. It is a dreadful Internet marketing mistake and you loose thousands of visitors by focussing on one specific browser and shutting out the rest. But choosing the wrong browser does not only have economical effects on your web site, it also puts the security of your visitors at risk.

The history of Internet Explorer has been plagued by security flaws and rendering bugs. Many web designers know how hard it is to display a perfectly coded site correctly in Internet Explorer. A site may display beautifully in Mozilla Firefox, but may appear completely broken in Internet Explorer. The rendering bugs in Internet Explorer require clever tricks and "hacks" to work around them. This means double production time when developing a web site. You first need to develop the site in general and then test it with Internet Explorer to see where you need to employ these workarounds. By restricting your visitors to Internet Explorer only, you force them to use an insecure browser and you waste your time by patching its rendering flaws with clever workarounds. Who knows, a rendering flaw may be exploitable and you are promoting those flaws by forcing your visitors to use a browser that is the direct cause of the rendering problems of your site. By working around these flaws you may even make it easier for hackers to exploit them. I know I am exaggerating a bit, but I will feel much safer using a browser without these rendering issues. At least I know there is no chance of exploitation.

Another thing is the basic HTML coding errors that are automatically fixed by Internet Explorer. I have seen inexperienced web developers spending hours developing a web page, experiencing no problems when displaying it with Internet Explorer, but suddenly encountered difficulties displaying the page in Firefox. Firefox is not there to cover up for your mistakes, coding standards are there for a reason. Imagine developing a compiler for a programming language that has to fix common coding errors made by programmers. It is a complete waste of time and code, you can simplify the code of the program substantially by removing these useless error-controlling routines. It will make debugging much easier and faster. Why do you think does Microsoft take so long to get security flaws fixed, I reckon Internet Explorer has far more complex code than Firefox? You can cut your web development time in half if you test your web site in a browser like Firefox, which is far more compliant with W3C standards than Internet Explorer.

There is nothing wrong in "fixing" your web site for Internet Explorer visitors, you are only making your web site accessible to more users, without forcing them to use a different browser. But the whole irony behind "fixing" your web site comes down to fixing something that is not broken. A standards-compliant Cascading Style Sheet (CSS) must be amended with redefinitions of widths and heights to make your site compatible with Internet Explorer. When you run the style sheet through a CSS-validator, you will receive warning messages for a document that was actually 100% compliant before these changes. Some bugs are not always that easy to fix. For instance the transparency bug with Portable Network Graphics (PNG) files. You either must choose to keep the PNG files and live with the bug or convert all your PNG images to Graphics Interchange Format (GIF) files.

Every web designer must aim to develop a web site that is compliant with web standards, not a specific browser. An open source browser like Firefox supports most of the features in Internet Explorer and you can easily add functionality that is not supported by default, with the use of an extension. So this brings me only to one conclusion, web designers designing Internet Explorer specific sites are only spiteful. The only reason why you are unable to open a specific page, is not because your browser does not support it, it is because the designers are deliberately blocking it. Why block a browser, which most probably does a better job than Internet Explorer with that specific page of your site? I can only see it as childish jealousy over other browsers doing things better than Internet Explorer. You may end up creating security flaws on your own site by being so narrow minded and making things so complicated. If a web site requires a visitor to use a specific browser, it implies that that certain client side processing is required, that is dependent on a specific browser and cannot be done on the web server. That is extremely dangerous, especially when it comes to capturing sensitive information. The visitor never knows whether the web site owner wants to exploit a flaw in a specific browser or steal your private information without raising any alarms caused by certain browsers.

Many people may argue: "Hey you are fast to point the finger to other designers. You have a notice Best Viewed With Firefox displayed at the top of each and every page of your site, for every user not browsing with Firefox". But there is a huge difference between "Best Viewed" and "Optimised For". A site is best viewed in a specific browser, but you can still view it with any other browser. A pure standards-compliant web site should render correctly in any of the latest mainstream browsers, which is the main goal of HTML and CSS coding standards. It is not my fault if a browser cannot render my web site correctly when I adhere to these standards. Best Viewed With Firefox simply means that if my web site appears broken, then it is because you are using an inferior browser. Rediscover the web by using a browser that displays a site as it is supposed to appear on your screen, without the need of clever monkey tricks and coding workarounds. Do not let selfish companies force you to substitute your security for access to their web site.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software.

Thursday, January 11, 2007

The Key To Beating Spam

By Coenraad De Beer

Unsolicited junk mail is one of the biggest problems faced by Internet users everyday. We have spam filters keeping spam out of our mailboxes, but these filters are far from perfect and many legitimate e-mails are filtered as spam because of this. So what exactly is the true key to beating spam?

Spammers have changed their tactics a lot over the last few years and the amount of spam circulating the Internet is rising at an alarming rate. The vast diversity of spam messages and different techniques used by spammers make it hard to identify spam accurately, whether it is a human being or a computer program doing the identification. Identifying spam will not have a direct impact on the amount of spam distributed each day, but over a long period of time it can make spam an ineffective method of marketing. Spammers continue to distribute unsolicited bulk e-mails because it works and they need active readers to make it work. If nobody read their e-mails anymore they will have no reason for wasting their time on unresponsive recipients, except for the lunatics who like sending junk e-mails for no reason at all.

Spammers link to remote images or JavaScript from within their e-mails to track their performance. These linked objects are loaded from a server each time a recipient opens one of their e-mails. They monitor the logs of these servers to see how many times the images or scripts were loaded, which will effectively give them a good indication of how many times their e-mails were opened. If they continue to see activity from these linked objects, they will continue sending spam. An e-mail client like Thunderbird can be configured to block remote images in e-mails. Images embedded into the e-mail or images sent as attachments, will still be displayed, because embedded and attached images cannot send tracking information to the sender. Blocking remote images will not cause any discomfort while reading legitimate e-mails, all remote images in a legitimate e-mail can easily be unblocked with the click of a button. Disabling JavaScript in your e-mail client is not a bad idea either, very few legitimate e-mails use JavaScript so you will not miss a thing by disabling it. In fact, it is anyway safer reading e-mails without the execution of JavaScript. By blocking images and disabling JavaScript you make it impossible for spammers to monitor the performance of their e-mails.

The main reason why spammers embed images into their e-mails instead of using text, is to bypass the spam filters. Certain phrases within the text of an e-mail may trigger a spam filter, but spam filters cannot read the contents of an image, so it is perfectly safe to put the text inside an image and embed the image into an e-mail. This worked for a while until spam filters started to flag these messages as spam. Spammers started to add random text from various books at the end of their e-mails to fool the spam filters. Spam filters cannot read the text of an e-mail in context with the rest of the e-mail, so e-mails containing an image and some senseless text at the end, may appear perfectly legitimate to most spam filters. Spammers also add CAN-SPAM banners and fake unsubscribe links in their e-mails to make it appear as legitimate and compliant with anti-spam legislation. Anyone can add a CAN-SPAM banner to an e-mail and the only purpose of the unsubscribe link is to confirm that your mailbox is active. You may believe that you will be removed from their list by clicking on the unsubscribe link, but that will only cause your e-mail address to be moved to their priority list and you will be exposed to even more spam.

Links in spam e-mails normally contain affiliate or tracking codes. The affiliate code will only be beneficial to the spammer if you buy something from the web site referred by the link. You should never buy anything from a web site referred by a spam e-mail, not even a well-known and trustworthy site. You always run the risk of becoming a victim of a phishing attack. Links containing tracking data may be linked to your e-mail address and can have the same effect as a fake unsubscribe link. Sophisticated spammers can create a unique link connected to the e-mail address of each e-mail they send out, so they can easily confirm that your e-mail account is active when you click on one of those links.

So what is the bottom line of all this? To battle spam effectively, you need to ignore it. But you can only ignore it if you are able to identify it. Identifying spam often means that you need to open the e-mail. Opening the e-mail may cause tracking information to be sent to a server (through remote images or JavaScript), informing the spammer that your mailbox is active or the information may be used to monitor the effectiveness of the e-mail. To prevent this tracking information from being sent you need to disable JavaScript and block remote images with your e-mail client. Links provided in these e-mails should never be trusted and you should never click on any of them.

Ignoring spam does not mean you should not report it. Ignoring spam simply means that you should not respond to the spam like the spammer would like you to do. Making spam less effective for the spammer and reporting it to the appropriate authorities is the crucial key to beating spam.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software. Cyber Top Cops is dedicated to fighting spam, do your part in the battle against spam and report it.

Wednesday, January 03, 2007

The Top 10 Culprits Causing Malware Infections

By Coenraad De Beer

Viruses and spyware is no strange thing to computer users these days. Everyday we need to update our anti-virus and anti-spyware programs to keep our computers protected against these threats. A scan once a week or more is required to reveal any nasty pests, which infiltrated your system without being detected. While it is imperative to have software protecting our computers against these threats, is it just as important to know how these infections occur and where they come from.

I think it is safe to assume that the places you visit on the Internet will determine which programs are installed on your PC. Let me put it this way, the software installed on your computer will have some relevance to the sites you often visit. Lets take a few examples, when you are using Gmail, chances are good that you will have Gmail Notifier or GoogleTalk installed on your PC. When you often visit Yahoo.com or take part in their social networks, chances are good that you will have Yahoo! Toolbar or Yahoo! Messenger installed on your PC. Lets take a more practical example, users visiting Microsoft.com most probably have packages like Microsoft Office and Microsoft Windows XP installed on their computers. It is likely for supporters of the Open Source Initiative to hang out on sites like OpenSource.org, OpenOffice.com, Linux.org or SpreadFirefox.com. So your software preferences play a huge role in the type of web sites you visit and vice versa.

But what has this to do with malware infections? To be honest, everything! Let me show you what the top culprits of malware infections are and it will soon be clear to you what the connection is between the web sites you visit and the malware found on your PC.

Top culprit number 1: Pornographic web sites
Download Spyware Blaster by JavaCool Software and have a look at all the porn related web sites blocked by this program. It is also remarkable to see how many computers with traces of pornographic web sites in their browser history, are often infected with spyware and trojan horses. Unfortunately you will have innocent victims of malware infections, also with traces of pornographic web sites in their browser history, but only because the malware redirected them to these sites. However, people with pornographic material on their computers are not that innocent in this case, pornography does not go out looking for people, people go out looking for pornography.

Top culprit number 2: Illegal music (MP3) and movie downloading sites
These sites normally force you to install special downloading software on your computer so that you can download files from them. These download managers are often bundled with spyware and are trojan horses themselves, downloading tons of other spyware programs while you cheerfully download your illegal MP3's. They sometimes place tracking cookies on your PC to monitor your browsing habits and hijack your browser to make sure you return to their site or a site of a partner.

Top culprit number 3: Software Piracy web sites
If you love using illegal software, cracks, serial numbers or license key generators (keygens) then you most probably had to remove some malware infections in the past after visiting one of these sites. Most of the people using these cracks are normally technical wizards and know how to disinfect their computers. Many of these sites do not only contain harmful scripts but also fake cracks and key generators, which are nothing else but malware. Some crack developers create a working crack but distribute it with spyware or a trojan horse to make your PC their slave.

Top culprit number 4: Peer-to-peer file sharing programs and networks
The file sharing community is loaded with pornography, pirated software, music and movies. Is it not amazing that everywhere these guys make their appearance you also find spyware, viruses, trojan horses and all kinds of malware? The client software is also often bundled with spyware (or adware as they call it).

The culprits discussed so far are those connected with illegal and indecent activities. People visiting these sites and using these services deserve getting infected with malware. These culprits are also some of the biggest sources of malware epidemics. What flows from the mouth, comes from within the heart. The same rule applies to your computer, those nasty little programs crawling inside your computer is, in the case of culprits 1 to 4, the direct result of your own sinful actions and activities.

The next couple of culprits are caused by negligence and a lack of knowledge about how malware are distributed.

Top culprit number 5: Pop-up and pop-under advertisements
Another culprit that wants to caught you off guard. A pop-up window may appear out of the blue or a concealed pop-under window my load in the background without you even knowing it. These windows can start downloading malicious programs and install them on your computer. They can appear on any web site, not just illegal and other bad web sites. You can prevent these windows from opening by using a secure browser like Firefox with a built-in pop-up blocker.

Top culprit number 6: Fake anti-virus and anti-spyware tools
You visit a legitimate looking web site and suddenly a banner appears telling you that your computer is infected with spyware. You can scan your computer with all the anti-spyware software in the world, over and over again until you are blue in the face, but that banner will keep telling you that your computer is infected with spyware. This is because it is a plain image banner. The site never does a scan of your computer, it is a fixed message that will display on any computer, no matter how clean it is. Simply put, it is a blatant lie! They want you to believe that your computer is infected and that only their software can remove this spyware. If you download and install their software you will only find that it is spyware itself. You may end up infecting a completely clean system with a dirty program, trying to remove the so-called spyware.

A system scan is not a three second process, it takes time, so no scanner can tell you instantaneously that your system is infected with spyware. I do not believe in online scanners, rather use software with a good reputation, a local scan is much more faster. Most online scanners are no online scanners at all, you actually download the whole scanning engine and end up doing a local scan anyway. A real scanner will tell you the name of the malware and its location on your hard drive, if it does not give you this information, then it is fake. Even if it gives you this information, it still does not mean that the software is legitimate. Do not trust everything you see online and stick to well known anti-malware brands.

Top culprit number 7: Free games, screen savers, media players, etc.
No, not every free program comes bundled with spyware, but spyware (once again the developers prefer to call it adware, but it is still the same thing) is often the price you have to pay for the free software. It is normally a ploy to monitor your use of the program, to send the creators statistical data or to collect data about your online behaviour in order to send you targeted ads. If you try to remove the spyware you normally render the main application useless. Read the EULA (End User Licence Agreement) very carefully before installing the application. But everyone knows that nobody reads those tedious, long licence agreements, so use EULAlyzer by JavaCool Software to check for specific keywords and phrases that might reveal any spyware programs being installed or privacy breaching practices that may occur if you install the free software.

Top culprit number 8: Malicious web pages with harmful scripts
But you already mentioned this one in culprits 1 to 3. No, culprits 1 to 3 often have harmless web sites and it is the content you download from the sites that is harmful. But you also get web pages containing malicious scripts, totally innocent looking web sites, like a site donating money for cancer. You go to their homepage and suddenly a script virus strikes your computer. This is what an anti-virus shield was made for, that unexpected attack. Firefox is also designed to prevent harmful scripts and browser hijackers from accessing the system and taking advantage of flaws and weak spots in your operating system.

Top culprit number 9: E-mail
Virus worms spread themselves by forwarding a copy of the virus to all the contacts in your address book. Those contacts that are unaware of these worms will most likely open the e-mail and the file attached to it. But when you open a strange infected e-mail from an unknown sender, then you are guilty of double negligence. For the virus to be activated you need to open the e-mail and in most cases you need to deliberately open the file attachment too. By using a little common sense you will know that strange e-mails from unknown senders are dangerous, especially when they have executable attachments with file names ending with the "exe", "com", "bat" or "scr" extensions. Even dangerous e-mails from known, trustworthy contacts can easily be identified if the contents of the e-mail seems strange and out of character. By being careful and responsible when opening your e-mails, you will not only prevent your own computer from getting infected, but you will also prevent the worm from spreading any further.

Top culprit number 10: You the Internet user
What? Me? How on earth can I be a culprit? Well, you are an accomplice in the spread of malware if you do not have an active and updated anti-virus package installed on your computer, if you do not scan your computer for viruses and spyware on a regular basis, if you do not use shields like the TeaTimer tool from SpyBot (which is free by the way), the Ad-Watch shield of Ad-Aware or the resident shield of AVG Anti-spyware (all of which you have to pay for, unfortunately), if you spend your time browsing pornographic and illegal web sites and take part in the sharing of pirated software and copyrighted material (culprits 1 to 4), if you fail to be responsible with the software you install on your PC and the e-mails you open (culprits 6, 7 and 9) and if you refuse to use a secure web browser (like Firefox) built to prevent malware infections (culprits 5 and 8). Yes, I will go so far to say, that if you stay away from culprits 1 to 7 and 9, you probably won't need any virus and spyware protection at all. Culprit 8 is the only reason why you should have anti-virus and anti-spyware protection, for those unexpected attacks, over which you have no control.

Culprits 1 to 8 are the main sources of malware. Infections caused by them led to the creation of culprits 9 and 10, which distribute the malware even further. Do not turn your computer into a malware paradise or a malware distribution centre. Take responsibility, protect your computer against these threats and prevent the spread of malware.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software. Visit our Malicious Software Removal Assistance page for advice and personal assistance with the removal of stubborn and unknown malware infections.

Tuesday, January 02, 2007

Online Safety Of Your Children Starts With You As A Parent

By Coenraad De Beer

Parental control software is far from perfect and your kids are smarter than you may think, they will always find a way around them. Companies developing this software make millions out of parents neglecting their responsibility as a parent. What is the use of restricting the access on their computer, if they can find other ways of accessing the sites they want? You cannot use a computer program to prevent them from watching indecent TV shows and movies, you cannot use a computer program to prevent them from reading indecent magazines and books, you cannot use a computer program to help them choose their friends or prevent them from using drugs, you cannot use a computer program to protect them from predators.

You, as a parent have the responsibility to educate your children, when they are old enough to understand, about what is right and what is wrong in life. Many kids buy their own books, computer games, they rent their own DVD’s, some even have their own TV set, so it is useless, in fact foolish, to control only one source of bad influence on your children? You are only treating the symptoms and not the root of the problem and the root is lack of proper education and raising your children without good moral values. People do not take it serious when they are warned against the damaging effects of exposing children to all the explicit sex, nudity, violence and bad language through all the different mediums available to us today. When these immoral acts negatively affect adults and offend them, what effect do you think does it have on young children? I know that immoral material on the Internet sometimes make an appearance through unsuspected pop up windows, but these pop ups normally appear on sites where children should not have been in the first place. Our moral values have degraded so much that indecent web sites are not seen as "bad" anymore. The adults consuming this content today are the product of a previous generation of people who threw all moral values overboard.

The online safety of your children is not only about maintaining high moral values, it is also about keeping them away from online predators. These people are active on IRC channels (chat rooms), forums and may even contact your child via e-mail. So many teenagers have walked into the trap of deception. There is no way of verifying the identity of the person on the other side of your computer screen. An adult online predator, pretending to be a teenager, can easily mislead your teenager into believing that he/she has found a good online friend. This is why online dating is so dangerous, not only for children but adults as well. Online predators can behave well, they can be friendly and kind, they can be sympathetic to the problems of your child and you child can easily find comfort in that. Never let your child meet an online friend without your presence and tell them how dangerous it is meeting or talking to total strangers without parental guidance.

Educate your children not to give personal details, addresses and telephone numbers to anyone online, you should determine whether it is safe to provide these details by assessing the situation. There may be circumstances where these details are required for subscriptions to safe online services your child might want to use. You should be the judge of which services are suitable for your children and which ones are not. If you are unsure of the safety of a certain service, ask for the opinion of an expert or someone else already using it. Do not give your children too much power if they cannot use it responsible, too much control is not good either and you should find a balance between the two. If you fail to find a balance, you will end up compromising the safety of your child in the online and as well as the offline world.

Trust goes both ways and the trust showed by the one party will help win the trust of the other party. You need to be able to trust your children, trusting that they will stick to the rules you make. You should make it clear what the consequences will be if they disobey and misbehave, be consequent with your actions and make no exceptions to your own rules. They should also be able to trust you, knowing that you will not invade their privacy. Breaking into their e-mail accounts and reading their e-mails, or installing spyware to spy on their online activities is not the right way of protecting your children. Both parties should be open and honest towards each other with everything they do. Your child should have enough confidence in you, to turn to you when he or she is unsure of something or did something wrong. Not taking your child serious in such a case will break down the trust built up between the two of you and you will end up being the direct cause of his or her mistakes. Children are a gift from God, never neglect your responsibility as a parent.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software.