Warning: Not suitable for dial-up users.

So why are you still running Internet Explorer?

Here are some of the main reasons NOT to use IE:

• It’s full of security holes – being integrated with the OS is a Bad Idea. There’s too much complexity in deciding whether a file operation should be allowed or not. Is the browser running as a file explorer or as a “normal” browser?
• It’s terrible at web standards – ask anyone who has to design a website and they’ll tell you about the recurring nightmares they have about getting sites to work in IE.
• It’s slow – rendering pages takes forever, especially if a site incorporates JavaScript.
• Updates aren’t provided in a timely manner. One of the reasons that the latest security scare has become so big, is that Microsoft only release patches once a month. That gives malware writers a full months head-start before a patch may be released.

So if security and privacy are important to you, then switch to another browser. There’s quite a few out there, available for free, and much better than Internet Explorer.

• Firefox,
• Safari,
• Opera,
• Google Chrome,
• Netscape Navigator, and
• a whole lot more

EDIT: For those of you that didn’t, or won’t, take my advice, here’s the patch to fix the latest security problem with IE. One more word of advice: Get used to patching IE, this is not going to be the last security issue you’ll have to deal with.

You should also be aware that the following answers are in response to my specific queries, and as such may not apply to your site. If in doubt, check with the DPC.

Question 1: As a personal website that accepts comments from readers, and requiring the above information before accepting a comment can be accepted, am I required to have a Privacy Statement?

DPC Response:

“We would consider that you would be a data controller for the purposes of the Data Protection Acts.

Further general information on the responsibilities of Data Controllers is available at the link below:

http://www.dataprotection.ie/docs/The_Data_Protection_Rules/21.htm

We also have extensive guidance on the contents of Privacy Statements and as a Data Controller who collects personal information through the website, you would be required to have a privacy statement.

http://www.dataprotection.ie/docs/PrivStatements/290.htm”

Question 2: Am I required to delete comments or to remove personally identifiable information after a certain period of time? As I plan to keep this website going indefinitely, what are my obligations in relation to keeping this data?

“As a data controller one of the responsibilities above requires that you only retain information for as long as is necessary so you would have to take account of this.”

Question 3: My website does not use SSL or encryption when accepting a persons information. Am I required to inform a commenter that this is the case when they submit their details, or will the Privacy Statement be
sufficient for this?

“You should clearly flag that you do not use such security in your privacy statement.”

Question 4: As I also accept comments from readers outside the EU, what are my legal obligations in relation to their data?

“Your obligations are the same no matter where the comments originate.”

Question 5: My website is hosted on a 3rd Party server, as per your Privacy Statement guidelines, if a Privacy Statement is required on my personal website, am I required to include the details of my contract from them detailing what they may do with data on my behalf and what security measures they have in place?

“You are not required to specifically state that your site is hosted by a third party in a privacy statement. The Data Protection Acts just oblige you to have a contract in place with that third party specifying its obligations to the data. If the host company is located outside of the European Economic Area, you would also be required to use a ‘model contract’ to cover this transfer. Further information on these obligations is available at the following link:

http://www.dataprotection.ie/docs/Transfers_Abroad/37.htm”

Question 6: I use various statistics packages to measure website usage. These packages generally store information such as IP address, search terms that led the user to my site, referring websites, browser versions, operating systems, and country of origin. Would this information fall within the scope of the Privacy Statement?

“IP addresses collected in the manner you have outlined would be considered to be likely to be personal data. However, as the data controller in relation to this information you can carry out this research for your own purposes, as long as you did not release this information (containing IP addresses) to third parties. To ensure fair processing, you should include the fact that you use IP addresses to monitor usage patterns etc in your privacy statement and delete them within a very short period.”

Question 7: One of the statistics packages that I use is Google Analytics. The information that this package stores may be kept on servers that are outside the EU. Am I required to make note of this in a Privacy Statement?

“In relation to the use of Google Analytics on your site, it would be sufficient to refer to the fact that you use this product in your privacy statement (I understand that Google stipulate this as a condition of use of the product in any case).”

So the answer to my original query, is that yes, bloggers do need a privacy statement if they collect personal information, and that collecting statistics does make you a data controller under the current Irish legislation.

The Trojan dubbed “AppleScript.THT” allows the remote attacker full access to the system, steals usernames and passwords, hides by turning off system logging, opening firewall ports and can also be used to install key logging software, take pictures using the inbuilt iSight and to enable file sharing.

The Trojan come as either a compiled AppleScript titled ASthtv05 or as a disc image called ASthtv_06. In both cases, the files have to be downloaded and executed by the user. At the moment, the Trojan does not take advantage of any other Mac vulnerabilities to automatically infect new machines – but that’s probably only a matter of time.

Secure Mac are advising Mac users to use MacScan to protect themselves against the threat. Or you could just stop the ARDAgent service from running scripts as root.

Open Terminal and type, all on one line, the following command:


sudo chmod u-s /System/Library/CoreServices/RemoteManagement/
ArdAgent.app/Contents/MacOS/ARDAgent


Now if you use,

osascript -e 'tell app "ARDAgent" to do shell script "whoami"'

you should get your own username back.

What interested me more was the last part of the DPC’s letter:

I also note that your website does not have a privacy statement, which is required by data protection legislation if your site does any of the following:

• Collects personal data (vistors filling in web forms, feedback forms etc)
• uses cookies or web beacons, or
• covertly colects personal data (IP addresses, email addresses)

I had a look at the Data Protection Commission’s website for some guidance.

Using WordPress as a publishing platform means that my website does collect this type of information any time a comment is left – WordPress stores the name, email address and IP address. Statistics packages also track IP addresses, along with referring sites, browser versions, OS versions etc. So from what I can see, if you run a personal blog you are required, by law, to have a Privacy Statement.

Furthermore, if your website is hosted on a 3rd party server, (which would mean practically everybody, apart from maybe Michele, who probably has his own server farm at this stage!), then they are also considered to be a Data Processor under the law and are required to give you a contract detailing what they may do with the data on your behalf and the security measures in place to protect it.

Of course, I may be reading this all wrong, so I’ve written to both the DPC and my hosting provider for some clarification on the issue. The details are below the fold, and I’ll get back to you when I hear more.

Questions asked in email sent to DPC:

1. As a personal website that accepts comments from readers, and requiring the above information before accepting a comment can be accepted, am I required to have a Privacy Statement?
2. Am I required to delete comments or to remove personally identifiable information after a certain period of time? As I plan to keep this website going indefinitely, what are my obligations in relation to keeping this data?
3. My website does not use SSL or encryption when accepting a persons information. Am I required to inform a commenter that this is the case when they submit their details, or will the Privacy Statement be sufficient for this?
4. As I also accept comments from readers outside the EU, what are my legal obligations in relation to their data?
5. My website is hosted on a 3rd Party server, as per your Privacy Statement guidelines, if a Privacy Statement is required on my personal website, am I required to include the details of my contract from them detailing what they may do with data on my behalf and what security measures they have in place?
6. I use various statistics packages to measure website usage. These packages generally store information such as IP address, search terms that led the user to my site, referring websites, browser versions, operating systems, and country of origin. Would this information fall within the scope of the Privacy Statement?
7. One of the statistics packages that I use is Google Analytics. The information that this package stores may be kept on servers that are outside the EU. Am I required to make note of this in a Privacy Statement?

The exploit uses the Apple Remote Desktop, (ARDAgent), application to execute a shell script. When the shell script is executed it is done so as Root. To test this, type the following command in Terminal:


osascript -e 'tell app "ARDAgent" to do shell script "whoami"'


This command works even if Remote Desktop Sharing is disabled and the Root user is disabled in the Directory Utility. However, it will only work if the user is logged into the computer. It will not work if Fast User Switching has been used.

As this is a brand new exploit there is no fix as of yet.

bkpwp_plugin_path=URL of a text file on an another website

Checking the URL in the page request returns a text file containing PHP code that attempts to launch a remote shell.

The first part of the page request is a reference to a plugin for WordPress called BackUpWordPress This plugin automatically backs up your WordPress database and files. According to Security Focus, the plugin does not properly check user provided input, thereby allowing remote users to possibly access your hosting providers server.

At this point in time there is no update available to resolve this issue. If you’re using this plugin, then until a fix is made available, the safest option is to deactivate and remove the plugin.

Update: Since I wrote this piece, the BackUpWordPress plugin has been updated to fix this issue. Kudos to the developer for releasing a fix so quickly. More details in this comment.

Important Update

After further research, including comments from Matt at WordPress, I am retracting my initial comments above. I do not have a problem with WordPress sending my Blog URL, after all I post it myself whenever I’m commenting on another Blog, and I ping several Blog Aggregators when I post a new comment. In relation to the plugin versions being sent to WordPress, I can understand the need in order to ensure that the current version is checked against the latest version. However, I still will not be upgrading to 2.3 until such a time as all the plugins I use are compatible with 2.3.

The attackers apparently gained access to the employers section of the website through a stolen ID, and then proceeded to upload the data to a remote server.

Symantec were the first to report the theft after they noticed phising emails being sent to Monster.com users containing personal details. The emails direct the user to a website that contains a trojan that encrypts the data on a users hard-drive and demands a ransom to decrypt it.