That Danny!

The European Bank for Reconstruction and Development has launched a blog which is described by the bank’s Communications Director Reijo Kemppinen as an opportunity “to build dialogue, share knowledge and exchange lessons learnt in an informal forum.”

The first article, by Chief economist Erik Berglöf, describes how the global financial crisis has changed the bank’s operations, and sets the tone for analysis and future articles to come. Four bloggers are currently signed-up to contribute to the blog, and others are planned to follow, to ensure a constant flow of articles.

The blog was created for the bank by digital consultancy NetGrowth Group, which is also advising EBRD on its digital strategy. Danny Dagan, Managing Partner at NetGrowth Group said: “to succeed, a corporate blog not only has to look good and work well, it also needs to have something interesting to say. The illuminating point about the European Bank launching a blog now is that it obviously sees a need to communicate more openly with its stakeholders at a time when financial markets and their players have such high visibility.”

www.ebrdblog.com

Technorati Tags: banks, corporate blogging, ebrd, financial crisis

Next Generation Testing Conference: Achieving Balance in an Agile World.

Or not so much…

I wanted to check how much it costs and details about the conference. Unfortunately the Unicom site didn’t get tested properly. Here’s what I got:

click to enlarge:

The site itself looks like this:

click to enlarge:

Ouch!

Technorati Tags: testing

The full list of prohibited content is here. Removal requests for the UAE firewall can be submitted here.

Technorati Tags: censorship, Internet, Media, uae

Desert safari in Dubai: which company to choose, what’s included, staying overnight and dune bashing.

We went on a desert safari in the UAE in April 09, which included an overnight stay at a desert encampment. Here are some tips and highlights from our experience:

At around 3pm, we got picked up in Dubai by a driver in a sturdy four-wheel-drive, and headed north into the desert.

QUAD BIKE STOP
Our first stop was a tourist trap “farm” where you can hire a quad bike and go crazy on the dunes (15 minutes = AED150 [roughly £30/$45, at the time of writing]). We did, and it was great fun. Naturally, you have to sign a waiver before you start (”no insurance is included and you are liable for anything that happens to you”). There are the usual tourist tat shops and this is also where the drivers deflate their tyres a little to prepare for the dune bashing that comes next.

DESERT SAFARI - DUNE BASHING
If you aren’t sure what the guides mean by desert safari, then this is the main part of it. The drivers from the various companies make a bee-line for the big Tatooine-style sand dunes, and then let loose their inner boy racer. The idea is to slide, leap, bash and surf the dunes in their four wheel drives until all their passengers get motion sickness and are ready to stop for a photo-opportunity. The experience is a bit like being on a roller-coaster without the safety features, and at an angle that looks like the car is going to roll-over. You are either an adrenaline junkie and love it, or you’re not and you love the moment when it’s over. This goes on for a while, with various stops, and then you head for camp.

ARABIAN ENCAMPMENT AND DINNER
We liked the camp. Just be aware that If you’re expecting an authentic Arabian Nights experience this isn’t it. In true Emirates fashion, the locals have delegated their cultural heritage to migrant workers, and so, even the hosts dressed in traditional dishdashas were more likely to speak better Urdu than Arabic. Our driver told us there were two main encampments serving the desert safari tourists: the one we went to (about 45 minutes out of Dubai) and one that’s smaller and closer. The camp had the usual tourist amenities: take your picture on a camel or in traditional dress, have a henna tattoo, smoke the shisha, buy tat and get repeatedly approached by the man selling fake Rolexes and his friend who will absolutely write your name in sand in a bottle. Apart from the tat and alcohol at the bar, everything is free in the camp, and following the coffee and shisha, you get served a fairly sumptuous barbecue dinner, which is followed by a sword-wielding belly dancer show (about 20 minutes).

Overall, I would say there were about 200 visitors in the camp.

Once the show is over, the various tour groups depart, and within a short time, the whole place empties leaving only those who are on the overnight safari.

SHOULD I STAY OVERNIGHT AND SLEEP AT THE ENCAMPMENT?
Probably not. As everyone else left and only the three of us remained (along with camp staff who were busy clearing up the tables and preparing the encampment for the next day’s tourist herd), we pondered the virtues of staying overnight. On reflection it was good that we were the only ones left. Apparently fifty people stayed on Saturday night, and I couldn’t imagine they got much sleep, sharing the same tent space with young children and snoring adults. The idea is that you are given a sleeping bag and a space in a closed tent area, to sleep among the carpets and cushions. Despite the beautiful night sky outside, this isn’t the most comfortable of sleeping arrangements. The generator noise stays constant all night, there are mosquitoes aplenty and the sleeping bags aren’t the cleanest. You are awoken sometime between 6am and 7am and given a tray of breakfast (scrambled eggs, sausages, bread, jam, Lipton’s tea and instant coffee), and ushered out afterwards. We were then driven back to where we were staying in Dubai.
Verdict: there’s no real point in paying extra and staying overnight, as all you get is an uncomfortable sleep, that’s not too authentic or exciting, and despite the brochures talking up an extra trip the next day, we already covered that part the previous day, so the stay was sort of pointless.

If you do decide to stay overnight make sure you take the following with you:

• Ear plugs (to help you sleep against the backdrop of generator noise)
• Toilet paper (the toilets are wash-your-bum style, and do not have any loo paper in them)
• Mosquito repellent (trust me, you’ll need it)
• Some clean sheets (if you don’t like the idea of a slept-in sleeping bag).

WHICH SAFARI COMPANY SHOULD I USE?
Based on our experience, I would say that most companies follow exactly the same route, stop in the same places and end up in the same encampment. Along the route and while dune bashing, there were some 15-20 different companies going to exactly the same places and stopping for exactly the same photo-opportunities, so it’s likely that you would end up on the same trail. If you’ve had a significantly different experience to what’s described here, by all means do leave a comment at the bottom of this article for the benefit of others.

HOW MUCH DOES IT COST?
The overnight desert safari experience cost us AED450 each (around £80/$120), which included the dinner and breakfast. for the whole thing without the overnight stay we were quoted AED175-275 (£30-£50/$50-75) depending on the company and extras.

WOULD YOU RECOMMEND IT?
Absolutely. If you want to get a real sense of the sandy desert dunes, and aren’t sick on roller-coasters, it is highly recommended. If you like the adrenalin rush you’ll love it even more. I wouldn’t really stay overnight if I did it again, but that’s all part of the adventure.

Technorati Tags: desert safari, dubai, dune bashing, uae

If your friends and contacts have received an email or IM message from your Hotmail account with wording along the lines of “I would like to introduce a good company who trades mainly in electronic products… etc” - it is highly likely that your Hotmail account has been compromised.

IF YOU ARE THE POOR SOUL THIS HAPPENED TO, THEN YOU SHOULD READ ON AND FOLLOW THE INSTRUCTIONS AT THE BOTTOM OF THIS ARTICLE.

In most cases when a spam email is sent in your name to someone else, the spammer doesn’t need access to your account. All they need to do is spoof your email address - i.e. make it look like it was sent from you. That’s very simple to do, and is very common.

However, the latest spate of spam from Hotmail accounts is different in that the attackers actually hack into your Hotmail account and then do some or all of the following things:

• They send a spam email to all your contacts.
• They may send a spam IM message to all your Messenger contacts
• They may delete all your Hotmail contacts
• They may set your autoresponse (the one you set when you go away) to send this spam message
• They may set your email signature to include the spam message

You know that they have hacked into the account because you can see clearly that they have sent an email from it to all your contacts, or even an instant message. They would not be able to do this if they did not have access to the account.

HOW IT HAPPENS
I don’t have a definitive answer, but I do have a theory which, based on the evidence, looks likely. If your password is a common name or a word that appears in a dictionary, then your account is vulnerable, even if it has a year of birth or number attached to it.

This is how the hackers do it:

• They employ an automated script that is fed your Hotmail address and then goes to work.
• It feeds the entire dictionary and common passwords and names into Hotmail one by one, trying to log in.
• After several attempts Hotmail “locks” the account and present a CAPTHCA (i.e. a string of wonky letters and numbers that are supposed to stop scripts from doing exactly that, because only a human can read these letters, supposedly).
• Unfortunately the CAPTCHA method no longer stops scripts, because hackers have found ways around them. One of those ways works by using sophisticated character recognition software that can read the wonky letters. Another is to feed the letters to “CAPTHCA farms” - the letters are fed to human users, employed by the hackers to read and enter CAPTCHAS, and they are often paid by the number of CAPTCHAs they enter (for example 1 cent per entry). This becomes viable financially if the spam is part of a bigger scam. The scale of the deception means it makes more money, especially because people are much more likely to trust spam messages sent by their friends. This achieves greater returns for the hackers and means they can attack many accounts, bypassing email security systems.
• Sometimes the scripts do their work over days, and sometimes weeks, to escape being caught by Hotmail’s attack detection systems.

There are of course other ways for hackers to achieve this kind of attack, such as spyware on your computer, or you being deceived by a rogue website. My instructions below would help you tackle these as well.

WHAT SHOULD I DO IF MY HOTMAIL ACCOUNT GOT HACKED?
Go through the following steps, one by one:

1. Before you do anything else, change your Hotmail account password to something very safe. Not a dictionary word or name, or even a word and numbers. Use symbols such as $ and & in your password, and make it long. I know it is difficult to remember, but if you don’t want to be hacked, you’ll have to start using strong passwords.

2. Now check that your autoresponse and email signature on Hotmail do not have any spam text added to them, as this would go out to your contacts automatically.

3. Then check that your computer does not have spyware or viruses, by following the instructions here.

4. From now on keep your passwords safe, and be extra careful when using public computers (such as those in Internet cafes). If in doubt - change your passwords.

5. You may want to alert Hotmail support to the problem. It seems to be happening all over the place, and the more they know about it, the better it is for their efforts to address it.

And please note: if for some strange foolish reason you decide to go to the site advertised by the spammers, and you are even more foolish and decide to buy something on it, don’t be surprised if it never arrives. This is a well known scam, and you will never get your goods, you muppet.

UPDATE 11 May 09: I’ve been getting comments from unfortunates who not only got their account hacked, but also had their hotmail password changed. That’s a pretty bad place to be in, but you may be able to get Hotmail staff to re-instate your account if you follow the process that Jeffrey Kottmyer suggests here.

Technorati Tags: email, hack, hackers, hotmail, security, spyware, virus

My blog has recently started receiving spam messages (in the form of spam comments on blog entries) from a company called VerifiedFile. I’m not going to use their URL here, so that they won’t benefit from this post, but the idea is that they purport to be a legit company, but they send out bots to leave comments on blog entries that promise:

Promote Your Website, Product & Services on Targeted Forums & Blogs
We can post your promotional message on millions of forums worldwide. No, this isn’t spam email. It’s penetrating online established communities relative to your website, product or services. Not only does this increase SEO & Web Traffic, but by targeting forums relative to your online activity, you are able to increase potential sales.

Note: Your post will appear exactly like this post. You define the TITLE, POST, & ANCHOR TEXT which can include url back links to your website. This post was published by our automated software. Spam laws are only relative to email which makes everything we do 100% legal.

As a blogger I find it quite offensive that a company posts their dross spam on my blog, and tries to make out that it isn’t spam because it isn’t “email spam”. If anything, they are the worst kind of spammers. They infect content with their nonsense marketing.

But there is good news in all this. Most decent blog software already identifies VerifiedFile’s content as spam (on WordPress Akismet does a good job of sending it straight to the spam queue). The company in question has only a small number of links to its own website so its promotional method clearly doesn’t work - and hopefully it stays that way. The IP from which the company is spamming has already been added to the Stop Forum Spam list, also a good sign, and Project Honey Pot’s tracking report on VerfiedFile’s spam spider IP is here.

It’s also worth noting that because comments on most blogs automatically carry a “no follow” tag, they do are not counted as links by search engine spiders, and therefore do not increase the spammer’s SEO ranking.

And finally, if you are serious about online marketing, befriend us bloggers. Don’t spam us - and certainly do not p*ss us off.

Technorati Tags: Marketing, online marketing, spam

WordPress is an excellent blogging platform, but as it is so popular it’s also a constant target for those wanting to find and exploit its vulnerabilities. You should note that as with other web platforms, keeping WordPress secure is a constant job of updating and keeping up with the latest news and exploits.

Below are some key security tips, if you are installing a WordPress blog, or you want to make your existing blog more secure. This is a live article, and I will be adding more as I go along, or those suggested to me that make sense.

Make sure you back everything up before you start, and please read this article through to ensure you feel comfortable with the technical level required. Like any server and installation changes, it will require some problem-solving and technical common-sense along the way, as no two systems are alike (and no two geeks are alike either). Any changes you make are at your own risk.

Top WordPress security tips:

1. When you install WordPress, it might be a good idea not to use the default directory that WordPress installs in (root/wordpress/), and instead either use the root directory or a directory with a different name. This means that automated scripts looking for the WP directory will not identify it on your site. There are, of course, other ways to identify a WP installation, but anything that makes your installation different to the standard steps a bot will follow to crack it is a good start.
Instructions on how to move the WP installation directory can be found here.
Note: there is also another (non security) reason to install WP in a root directory - it is more likely to rate higher on search engines if it is in the root. Depending on the popularity of your site this might be crucial.
Another note: if you are already running WP, you can simply move your directory, using the same instructions in the link above.

2. Make sure your WordPress installation is the latest version, and upgrade whenever a new version is released. These releases often fix security bugs and issues, and the longer you are behind the latest upgrade, the more likely you are to be exposed to attacks based on old vulnerabilities that you haven’t patched yet.

3. Install the WordPress Security Scan plug-in. This is an excellent way to track some of the more common security risks on your installation. Conversely, if your server does have some robust access settings, the plug-in will not have access to do things like changing database table names, so I’ve detailed some of the manual steps below. Make sure you use the plug-in’s scanner function to ensure your folders have the correct security permissions.

4. Change the database table prefix of your WP installation from “WP_” (the default) to something else that’s hard to guess (e.g. something like this: “gh786Hg_”). If an attacker knows the database structure and table names, it makes attacking it easier. Instructions on how to make this change can be found here. You may also be able to achieve this through the WP Security scanner (see 3. above) but some environments will not allow it, and you’ll have to make the changes manually. If you aren’t familiar with SQL, be careful and make sure you back-up your database and know how to restore it if it all goes wrong.

5. Make sure you remove the user “admin” and replace it with a name that is less easy to guess. Leaving it there, opens you up to a dictionary attack whereby the hacker tries to crack your password using a script that tries lots of different passwords. If successful, they will gain full control of your blog.

6. Install the “Login-Lockdown” plug-in. This will also stop dictionary attacks in general, by limiting the number of failed logins allowed into your blog.

7. Hide your WordPress version. Again, revealing as little as possible to the potential attacker. This can be achieved through the Secure WordPress plug-in.

8. Hide your plug-in directory to stop hackers from accessing it and seeing its content. To be honest, if your server is set up well, this should not be a problem, but just in case: Create an empty file called index.htm, and place it in the wp-content/plugins directory. Or, if you can access your .htaccess file in your root directory, then even better: add the following lines to it:

# Prevents directory listing
Options -Indexes

9. Make sure you have an .htaccess file in your wp-admin directory. This protects your key WP admin files. The file should contain the following:

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

10. Now install the WordPress Firewall plugin from SEO Eggheads. The author describes its purpose as follows: “It intelligently whitelists and blacklists pathological-looking phrases based on which field they appear within in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.” The specific areas it covers are Directory Traversal, SQL Injection/Tainting, WordPress-Specific SQL Injection, Executable File Upload, Field Truncation and Remote File Execution.

11. Now we need to have a word about Plug-ins - you have to be aware that plugins are inherently a security risk; even some of the more popular ones. They are created by (usually) great coders, but some coders are less great, and miss the obvious flaws in their plug-in. In a recent WordPress installation, I discovered two popular plugins that were wide open to hijack through SQL injections. There is no easy way to avert this, but take the following precautions:

• Ensure you follow good security precautions on everything else. Ensure your servers, databases and PHP installations are set to be as secure as possible.

If you have the knowledge, give your plugins a once-over or scan them for injection risk using scanning software.

• If you don’t know how to do the above, and are running a corporate site with much credibility at stake, get professionals to do it for you.
• Update plugins regularly to the newest version - to ensure any flaws the owner discovered and fixed are also fixed on your installation.

12. I mentioned the need for the environment (servers, databases, PHP etc.) to be as secure as you can make it. If you don’t control these variables (for example because your hosting company does), check their security credentials and find out if they have a good record for security. There’s no point in having a great secure WordPress installation running, if the server it is hosted on is vulnerable. And while we’re on the subject, if you have access to your PHP settings, and you’re not a PHP guru, you might want to run your PHP installation in “safe mode” and also set “register globals” to “off”, and expose_php to “Off”.

13. And finally, trivial but true: make sure your admin password is a good one. I know it sounds silly, but use a long un-guessable, non-dictionary password, that combines upper/lower case letters, numbers and symbols. No, really!

Happy (and safe) blogging!

Technorati Tags: blogging, security, wordpress

Last week I got an insight into how Google penalties work if you use a URL too many times in a blog entry.

In my recent article, I covered how scammers target Sedo users.

The article was included in the Google index within the hour, as it usually is for my blog, and for the following three days I had 80-100 daily unique users reach it through Google.

Then on the fourth day - all traffic to the page from Google stopped. Nothing. Nada.

After a quick investigation, I found that that particular page was no longer included in the Google index. The rest of my site was unaffected.

I looked at it in more detail and theorised that because I quoted the correspondence with the scammer, which repeatedly included his email address (”murphy@eliteinvestment.net”), Google must have decided that this was a spam message and excluded it from its index - probably because Google ignored the “@” sign and treated the companyname.com part as a URL, thus viewing it as being repeated many times over. The other option is that it doesn’t like too many repeats of the same email address, although i like my first theory better.

I decided to test my theory, and reduced the total number of references to the company from a total of ten URLs/emails (eliteinvetment.net) to only three. I then updated my sitemap and pinged Google to re-crawl my site.

Sure enough, a week later my article has been re-indexed, and is hitting traffic again. An insight into the mind of the (fluffy) beast.

It also shows that my pages were first ingested and indexed, and only a few days later the penalty was applied.

Technorati Tags: google, search, seo