|
|
|
|
Windows Secrets Newsletter • Issue 238 • 2010-04-01 • Circulation: over 400,000 |
|
AD
|
|
Table of contents INTRODUCTION: Over 60,000 Lounge pages are now in Google TOP STORY: Security competition reveals new browser flaws LOUNGE LIFE: Winning the battle against obscure malware WACKY WEB WEEK: It's not April 1 without a pranking or two LANGALIST PLUS: Tools for managing Win7 and Vista system bootup WOODY'S WINDOWS: Classic Shell puts XP Retro back into Win7 PATCH WATCH: Microsoft releases an emergency patch for IE |
|
ADS
|
|
INTRODUCTION Over 60,000 Lounge pages are now in Google 
By
Brian Livingston
When we started opening up the Windows Secrets Lounge to Google and other Web indexes a few months ago, we didn't realize how hard it would be to get the search engine gods to find all our pages. Finally, we hit the right solution. Google now includes more than 60,000 pages from the Lounge — over half of our total discussion threads — with the rest soon to become available to searchers around the globe. As you'll recall from my Jan. 7 Introduction column, the old Woody's Lounge — founded by WS senior editor Woody Leonhard in 1995 — moved to WindowsSecrets.com in late 2009. One of our goals was to make available to the whole world, via search engines, the more than 125,000 threads Loungers had written since 2001. For most of the Lounge's history, the discussion board was hosted on a series of underpowered servers. Years ago, the volunteer admins decided to ban any crawling by search engines to prevent resource overload. In 2009, however, Windows Secrets moved the Lounge to a screaming server and invited search engines to suck down all 700,000 pages at will. Just making your site visible, however, no longer guarantees that search engines will list all your pages. We had to make several changes to files with names like robots.txt and sitemap.xml to get Google to index more than a few hundred threads. But last month, the search giant got the message and started gulping down 10,000 pages at a whack. (See Figure 1.)  Figure 1. This screen shot taken on March 27 shows that (1) about 60,000 Lounge pages are in Google's index, (2) the most-recent threads are listed first, and (3) new comments can show up in Google within an hour or two. In the past week, we've seen the page count jump up and down — from 50,000 to 71,000 and back. This variation is probably due to the fact that Google runs thousands of servers, and each one uses a slightly different database. You can see the latest count yourself by adding site: to the beginning of the Lounge URL in a Google query (this trick works with any domain name): site:Lounge.WindowsSecrets.com The trend is definitely up. Once all 125,000+ Lounge threads are available to the world's Windows users through search engines, a dream of the Lounge's administrators and moderators will be realized. Make search engines follow your spider trail If you'd like to see what we did to make search engines ignore the Lounge's less-important pages and concentrate on our technical content, you can view our robots.txt directives file for yourself. Or you can append /robots.txt to the end of Lounge.WindowsSecrets.com or any other domain name to view the site's directives in a browser. (The file name must be all lowercased, as specified by the Robots Exclusion Protocol.) Until December 2009, the old Lounge's robots.txt file excluded search engines from every page. But simply lifting that restriction didn't make Google suddenly see all of our thousands of pages. To attract Google — "Hey, over here, big boy!" — we had to perfect the art of sitemaps. These are XML files that list every URL you want search engines to index. A sitemap can contain only 50,000 URLs, so we had to create a sitemap index, which points search engines to our multiple sitemaps. Our server constantly updates the sitemaps as Lounge members create new threads. The big value in writing sitemaps is that we get to tell search engines which pages should be visited most often. We inform Google, for example, that threads with new content should be visited frequently, whereas old threads that haven't generated new content in months can be checked less often. (This may be why new threads are showing up in Google within an hour or two, as shown above in Figure 1.) If you'd like to create a sitemap for your Web site, see the Sitemap Protocol for more info. Get your free Lounge membership today If you haven't yet done so, get the benefits of a full Lounge membership by registering today. Just visit our quick registration form. It's free! Already a member? Take a look at the latest topics in today's Lounge Life column and jump into the Lounge once more. Have fun!
Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books. |
|
TOP STORY Security competition reveals new browser flaws 
By
Tracey Capen
CanSecWest 2010's hacker competition results in public defeat for Apple's iPhone and three of the leading Internet browsers. Apple, Microsoft, and other vendors are certain to release patches in the next few months for these holes, but what's a user to do in the meantime? Security conferences offer forums for top security specialists to share the latest malware threats and defenses. But CanSecWest's (Canadian Security West) most-popular event is Pwn2Own, a competition for white-hat hackers. The winner is the first contestant to defeat a browser's defenses and take over a personal computer. This year's Pwn2Own included smart phones for the first time. The most-interesting revelations at this beat-the-browser match were the contestants' ability to circumvent Microsoft's Address Space Load Randomization (ASLR) and Data Execution Prevention (DEP) security controls and their success in hacking Apple's immensely popular iPhone. Ironically, the competition has another aspect pre-eminent with malware authors — money. In addition to bragging rights, winning this year's Pwn2Own included $100,000 in prize money put up by security company TippingPoint. Prize money played a significant role in explaining why Apple's Safari, Mozilla's Foxfire, and Microsoft's Internet Explorer were the first browsers cracked — long before anyone even attempted Google's Chrome. With $10,000 at stake for each browser taken down, the contestants went after the browsers they knew best and could defeat the fastest. Noted security specialist Charlie Miller, for example, has won prize money three years in a row — all at Safari's expense. Miller's win this year was somewhat controversial. TippingPoint and other companies sponsor the Pwn2Own competition for the knowledge contestants reveal when breaking the browsers. But, as noted in a Computerworld article, Miller declares that he will not give any security company specific details on the 20 flaws he found — not only in Apple's product, but in Adobe Reader and Microsoft Office as well. He states, however, that he's willing to show the vendors how to find the flaws on their own. Bottom line: Though this competition includes some of the world's leading malware experts, it does not answer the average PC user's one all-important question: which browser is most resistant to attack? Google's Chrome the 'winning' browser For the second year in a row, Google's Chrome was the only browser not hacked — not because it was unbreakable, but because the other browsers were easier targets. Compared to IE, Firefox, and Safari, Chrome is a new browser. As noted above, the contestants have far more time invested in researching (and breaking) security flaws in Safari, Firefox, and — especially — IE. As ZDNet's Garett Rogers put it in a March 28 post:
That said, Chrome is getting respect for its seemingly more-secure design. A Techie Buzz story offers a brief description of how Chrome uses sandboxes to resist malware attacks. A programming technique, sandboxes keep potentially harmful software isolated from safe apps — much like putting someone who may have a contagious disease in quarantine. The story goes on to say that IE also uses sandboxes, but with obviously less success. The upshot: Use Firefox for day-to-day Internet work on sites you know are safe. Typically, it's a smaller target for malware attacks than is IE, and I prefer its interface to Chrome's. Use Chrome when surfing to sites you're unsure of. When installing Chrome, just remember to uncheck the box that makes it your default browser. IE 8 gets new breach — and a new patch The most-worrisome security flaw revealed by the Pwn2Own contest was the Internet Explorer 8 hack. Dutch researcher Peter Vreugdenhil won $10,000 by circumventing Windows 7's two best anti-malware controls, Address Space Load Randomization (ASLR) and Data Execution Prevention (DEP). An independent security expert, Vreugdenhil immediately published a paper, available on his Web site, describing in general terms how he did it. (He states he will not publicly reveal the exact exploits used.) He was able to take over a fully up-to-date Windows 7 system in two steps. First, he managed to evade ASLR and get the memory address of a Windows 7 .dll file. Next, he disabled DEP by using a previously known exploit. Circumventing DEP is especially troubling: Microsoft relies heavily on DEP to keep out new malware that's unknown to antivirus applications — so-called zero-day attacks. A March 30 Microsoft Security Response Center bulletin announced the unscheduled release of an Internet Explorer update. According to the bulletin, this release was not related to the IE 8 vulnerability revealed at CanSecWest (which Microsoft is still investigating) but is a cumulative security patch for all versions of Internet Explorer. Security Bulletin MS10-018 (980182) is marked critical, addresses 10 Internet Explorer security flaws, and should be installed as soon as possible. For more on this and a large Apple patch release, see contributing editor Susan Bradley's Patch Watch column in today's paid content. Safari may be the most-vulnerable browser The first browser to fall in the CanSecWest competition was Safari, mostly due to Charlie Miller's expertise in Apple code. There's been a long and loud debate about why hacking is such a problem on Windows yet relatively unheard of on the Mac. Given the huge commercial nature of today's malware attacks, the answer is not that Macs are more secure (they're not, according to almost every security expert) or that hackers have it out for that evil empire called Microsoft. The answer most likely comes down to money. Mac's approximately 8% market share simply does not offer sufficient monetary return on a hacker's time investment. Mac users are just plain lucky. For an interesting and somewhat worrisome article on Mac malware, read Andy Greenberg's March 25 article, "The bounty for an Apple bug: $115,000." Smartphones make a new and tempting target Possibly the most talked-about event at Pwn2Own was Vincenzo Iozzo and Ralf Weinmann's $15,000 prize for hacking Safari in a fully up-to-date iPhone. This is the first time the iPhone 2.0 operating system has been so openly compromised. If market share defines the likelihood of a malware attack, what does that portend for the iPhone? A recent report by AdMob, a Google company, states that iPhones make up 50% of the smartphone Internet traffic on AdMob's network. (According to a Gartner study, iPhones made up only 14.4% of worldwide smartphone sales in 2009.) Such a high level of Internet activity from one brand of smartphone should make a tempting target for malware attacks. The CanSecWest competition has now proved that the Safari browser on iPhones is vulnerable. Safari is currently the only browser allowed on that device. What happens when your phone is stolen or lost? A good hacker can probably get past both the phone password and any add-on data encryption apps you may have installed. That said, an article in Appletell, "Apps to help keep your iPhone data secure," lists a few you might consider. French team finds a security flaw in network cards Public disclosure is an important aspect of security conferences. Security threats known only to an elite group of hackers or security specialists (or both) are brought out into the open. At CanSecWest, one of the less-known security holes — the common network interface card — was revealed. A story in Malware Diaries describes how two Frenchmen, Loic Duflot and Yves-Alexis Perez, proved that a hacker can execute code on a network card and then take over a PC. That's scary, because network cards, your link to the Internet, communicate with PCs at a low level, where most anti-malware applications never look. This security threat is completely independent of what operating system you use. It doesn't even require that your PC be powered on. The malicious code uses network-card functions that are normally turned off. When you turn on your PC, those newly enabled functions act as the hacker's doorway into your system. Note that the point of this demonstration is not to make PC users worry about an immediate threat but rather to give security experts another avenue of attack for consideration. In other words, don't rip out your network interface card and go looking for a more-secure one. You won't find it. The best policy is to treat your network card as you do your applications. Sign up for update notifications from the network card vendor, and add patches as they come out. Broadcom boards, for example, notoriously need updates (download page) — and not just for security reasons. The good news is, there are so many easier ways to hack a PC that in-the-wild network card attacks are unlikely. Contributing editor Susan Bradley contributed to this story.
Tracey Capen is technical editor of WindowsSecrets.com. Susan Bradley is a WS contributing editor and a partner in a California CPA firm. |
|
LOUNGE LIFE Winning the battle against obscure malware By Tracey Capen Sometimes the most difficult part of keeping your PC clean is knowing what's malware — and what's not. When you need help identifying suspicious files, expert users on the Lounge make an excellent resource.
Member Steve Weeks is looking for information on updating Windows and asks whether there are better sites than Microsoft's.
If you're already registered, you can jump right in to today's discussions in the Lounge. The Lounge Life column is a digest of the best of the WS Lounge discussion board. Tracey Capen is technical editor of WindowsSecrets.com. |
|
WACKY WEB WEEK It's not April 1 without a pranking or two
|
|
BONUS DOWNLOAD
|
|
ADS
|
|
PERMALINKS Use these permalinks to share info with friends We love it when you include the links shown below in e-mails to your friends. This is better than forwarding your copy of our e-mail newsletter. (When our newsletter is forwarded, some recipients click "report as spam," and corporate filters start blocking our e-mails.) The following link includes all articles this week: http://WindowsSecrets.com/comp/100401 Free content posted on April 1, 2010:
You get all of the following in our paid content:
Thanks in advance for your support! |
|
YOUR SUBSCRIPTION The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008. Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editorial director: Brian Livingston. Senior editors: Fred Langa, Woody Leonhard, Ian Richards. Technical editor: Tracey Capen. Program director: Tony Johnston. Web developer: Damian Wadley. Research director: Stephanie Small. Lounge administrator: Keely Dolan. Copyeditor: Roberta Scholz. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Ryan Russell, Robert Vamosi, Becky Waring. Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page. WE GUARANTEE YOUR PRIVACY: 1. We will never sell, rent, or give away your address to any outside party, ever. 2. We will never send you any unrequested e-mail, besides newsletter updates. 3. All unsubscribe requests are honored immediately, period. Privacy policy HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
|
