17 Greasemonkey Scripts to Turbocharge Your Browser

The Internet offers a wealth of excellent tools, information, and entertainment–and it asks very little from us in return. So don’t get upset when a poorly designed online tool or site gets on your nerves; instead, use Greasemonkey, a free Firefox add-on that harnesses the power of JavaScript to right usability wrongs and improve the functionality of specific Web sites and of the Internet at large.

Greasemonkey can improve just about anything it touches–whether by adding must-have features to Gmail, streamlining your social life in Facebook, or speeding up your blog posts. The best part? Thousands of Greasemonkey scripts are free to download, and installing them is as simple as clicking a single link.

In my day job as senior editor of Lifehacker, I regularly use Greasemonkey scripts to streamline my online workload, stay organized, and speed through the Web.

Even though Greasemonkey scripts are written primarily for use in Firefox with the Greasemonkey extension, many of them also work with Internet Explorer (via IE7Pro or Trixie), Safari (try GreaseKit or Creammonkey), and Opera (which includes built-in support for the scripts). After installing the appropriate add-on for your browser, you’re ready to improve your Web experience.

Read the rest of the story…

Posted in Coding, General BS, Internet, Software | No Comments

Keep Tab On Home Security With A Webcam And Twitter

Worried about someone breaking into your house in your absence? Or just need to keep a tab on who enters your room while you are away? Well, all you need is a webcam, a linux PC/laptop and a twitter account. And you are set for real time updates through twitter about all that goes on at your abode behind your back (can even receive a text message/sms on your phone). Keep reading for the very simple setup you need.

Read the rest of the story…

Posted in Hardware, Internet, Linux, Networking, Privacy, Security, Software | No Comments

New tools to block and eradicate SQL injection

The MSRC released an advisory today that discusses the recent SQL injection attacks and announces three new tools to help identify and block these types of vulnerabilities. The advisory discusses the new tools, the purpose of each, and the way each complements the others. The goal of this blog post is to help you identify the best tool to use depending on your role (i.e. Web Developers vs. IT administrators).

Web Developers Recommendations

• The Microsoft Source Code Analyzer for SQL Injection (MSCASI) is a static code analysis tool that identifies SQL Injection vulnerabilities in ASP code (ASP pages are the ones that have been under attack). In order to run MSCASI you will need source code access and MSCASI will output areas vulnerable to SQL injection (i.e. the root cause and vulnerable path is identified). In our view, fixing the root cause of the bug is the best way to eradicate vulnerabilities. MSCASI scans ASP source code and generates warnings for first order and second order SQL Injection vulnerabilities. Please refer to the SQL team’s blog and KB 954476 for more details.

IT/Database Administrators Recommendations (as well as Web developers)

We are recommending two of the new tools announced today. One can help identify SQL injection vulnerabilities by crawling the website.  The other one aims to block potential SQL injection attacks by filtering malicious requests.  The website crawler will be useful if you don’t have access to the source code.

• Microsoft worked with the HP Web Security Research group to release the Scrawlr tool. The tool will crawl a website, simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr uses some of the same technology found in HP WebInspect but has been built to focus only on SQL Injection vulnerabilities. This will allow an IT/DB admin to easily find vulnerabilities similar to the ones that have been used to compromise sites in recent attacks. No source code is required to run this tool. From a starting URL, the tool recursively crawls that URL in order to build up a site tree that will be then analyzed for SQL injection vulnerabilities. For more information check out the HP Web Security Research blog.

• In order to block and mitigate SQL injection attacks (while the root cause is being fixed), you can also deploy SQL filters using a new release of URLScan 3.0. This tool restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being executed on the server. It uses a set of keywords to block certain requests.  If a bad request is detected, the filter will drop the request and it will not be processed by SQL. That said, if a SQL injection flaw has been identified, we highly encourage you to fix the root cause of the problem instead of attempting to produce the perfect filter (since in our view this is error prone). Please refer to one of the two IIS blog posts (1, 2) and the technical documentation for more details.

Read the rest of the story…

Posted in Coding, Internet, Security, Software | No Comments

Adobe ships critical PDF Reader, Acrobat patch

Adobe has shipped a critical update to patch a code execution vulnerability affecting multiple versions of its Reader and Acrobat products.

According to Adobe’s advisory, the flaw “could potentially allow an attacker to take control of the affected system.”

If you have Adobe Reader or Acrobat installed on your machine, this update should be treated with the highest possible priority because the vulnerability is being exploited in the wild.

Read the rest of the story…

Posted in Coding, Internet, Security, Software | No Comments

$1B Market for Meddling With DNS Poses Security Problem

The interception of Internet traffic to snoop on phone calls or track surfers’ behavior is a hot topic — but what’s keeping members of ICANN’s Security and Stability Advisory Committee up at night is the interception of traffic to and from sites that don’t even exist. They explained why in a session at ICANN’s public meeting in Paris on Monday.

There are still a few possible domain names out there that have not yet been registered, and if you accidentally type one of them into your browser’s address bar, you ought to receive an error message from the Domain Name System (DNS) signalling that the domain does not exist.

What happens to those error messages is of concern to SSAC’s members, who advise on the security and integrity of the domain name systems that the Internet Corporation for Assigned Names and Numbers (ICANN) coordinates.

Some ISPs (Internet service providers) and domain name registrars see the error messages as a missed opportunity to “help” their customers find the site they are looking for — and to make a little money on the side. They do this by intercepting the error messages and modifying them to point to a Web site that they control, typically carrying advertisements related to the domain name typed.

“There’s a perceived $1 billion market for domain error resolution,” said Dave Piscitello, ICANN’s senior security technologist.

Piscitello has a whole list of reasons why ISPs and registrars should not be allowed to profit from people’s typing errors in this way.

Top of his list is that they may open up security holes in users’ computers: Security researcher Dan Kaminsky demonstrated in April that he could exploit the error message redirection system used by U.S. ISP Earthlink to execute his own JavaScript. Kaminsky revealed his findings when Network Solutions, a domain name registrar, began operating a similar redirection service.

Such security flaws would be bad enough if a user had typed, say, “yorubank.com” instead of “yourbank.com”. But if the user had typed the address of nonexistent server “ww.yourbank.com” instead of “www.yourbank.com”, an attacker could execute malicious JavaScript on the redirected page as if it came from the bank itself, perhaps stealing their credentials.

Read the rest of the story…

Posted in Internet, Security | No Comments