The Mac Security Blog
A problem with passwords at Amazon has been discovered whereby users, in certain situations, can log in with variants of their passwords. It seems likely that Amazon used a specific encryption function that truncates any passwords longer than 8 characters. As Wired points out:
if your password is “Password,” Amazon.com will also let you log in with “PASSWORD,” “password,” “passwordpassword,” and “password12345.”
However, it seems that newer passwords (though there is no definition of what “new” means) are not affected by this flaw. Therefore, if you have an Amazon account (at any of Amazon’s many stores), and you have been a customer for a long time, it’s a good idea to go to your account page and update your password. Wired suggests that, “You can even then change your new password back to your old password, and you’ll magically be safer than you were before.” Theoretically, this should work, as the “new” password – even if it is the same – will be treated differently.
Opera has updated its web browser to version 11.01, fixing a number of bugs, and correcting five security vulnerabilities, one of which the company considers critical. The critical flaw involves “Large form inputs [that] can allow execution of arbitrary code,” and is described as:
When certain large form inputs appear on a web page, they can cause Opera to crash. In some cases, the crash can lead to memory corruption, which could be used to execute code. To inject code, additional techniques will have to be employed.
In addition, the latest version of Opera enables Mac OS X file quarantine. This is the feature that sets a flag on downloaded files so the Finder can alert users when opening them that they were downloaded from a web site.
Opera is available here, and is a 13.2 MB download.
Facebook has announced that they are adding secure HTTPS access to the company’s web site. This means that data is encrypted, in both directions, between your computer and their servers. This can ensure that data that you send is protected, but also that no one can “sniff” your connection and intercept data on Facebook pages you load.
You’ll see this by the presence of a padlock somewhere in your browser window (if you use Safari, this lock is at the top-right of the window; in Firefox, it’s at the bottom-right), and a green section in your address bar with the name Facebook, Inc.
You can log into Facebook securely by using https instead of http in the site’s URL (https://www.facebook.com), or by changing your Account Security settings. The settings below should be available sometime today:
Facebook also announced a new type of “captcha” (a system used to prove you are human) if you need to verify your identity: it uses pictures of your friends, and asks you to name the person in the photos. Facebook says, “Hackers halfway across the world might know your password, but they don’t know who your friends are.”
Shortly after Mozilla announced a “do not track HTTP header” feature would be added to the Firefox web browser, Google has come out and announced a similar feature for its Chrome web browser. In this case, the feature will be provided by an extension, which is available now.
Google does say that they’re “working to make this feature available for other browsers.” Google had previously provided an advertising cookie opt-out plugin for a few web browsers (not for Safari).
The Mozilla foundation, the group behind the Firefox web browser, is proposing a solution to allow web users to opt out of online behavioral advertising using a “do not track HTTP header” provided by the web browser. In this situation, if the option is activated in the browser, sites will be told by the browser, through the insertion of a simple header, that the user does not want to be tracked. Mozilla says that “the header-based approach has the potential to be better for the web in the long run because it is a clearer and more universal opt-out mechanism than cookies or blacklists.”
This would not replace cookies, and cookies would certainly still be used for certain types of tracking (user names, session IDs, etc.), but this approach does have the beauty of being simple to implement, and any web browser could use it.
However, “The challenge with adding this to the header is that it requires both browsers and sites to implement it to be fully effective.” Assuming that advertisers want a simple solution to allow users to opt out of their systems is perhaps a bit utopian. But, “Mozilla recognizes the chicken and egg problem and we are taking the step of proposing that this feature be considered for upcoming releases of Firefox.”
Time will tell if this type of system is adopted, and if advertisers are willing to use it consistently.
Macworld UK has posted a review of Washing Machine, Intego’s program that cleans up files created by web browsers and other programs that access the Internet. The reviewer noted that:
It does the job very well too, with a clean, exceedingly simple interface that lists the offending programs on your system and gives you easy access to the backed-up data you may want to remove.
And the article concludes:
Washing Machine is a fast, convenient way to target and regularly clean up downloaded data on your Mac. The Secure Clean feature is definitely worth a few quid. The clear interface and seamless integration are impressive too. This is a great tool for anyone concerned about online privacy or as part of a wider Mac maintenance kit.