Most people are wise to so-called phishing scams, usually in the form of emails pretending to be from a reputable place such as a bank asking you to click a link to 'secure your account' or similar. Said link is usually a clone of the real site so that users feel comfortable entering in their confidential data. Of course, it all gets sent to scammers who go and use your details to commit fraud. Lovely.
It's not a new thing at all, but people are doing this over the phone too. A popular one that recently caught out a family member is that someone will call, ask for the householder by name, and proceed to tell them they are from Microsoft or 'Windows Support'. They may have the householder's email and/or home address (from where I have no idea; they may be using the local phone book or have the details sold onto them from other sources) and will gain the trust of the user by confirming these with them, proceeding then to tell the user their computer is infected by viruses and this must be fixed now or they will be fined/their computer will crash/other similar threats. Sounds like a classic scam, but due to the user being named it can catch people out - especially if they're computer illiterate.
View full entry »
I came across a couple of websites discouraging the use of PHPAskIt because it uses a database and therefore absolutely must be insecure.
One such example states:
PHPAskIt isn't completely secure, either. It uses a database so I woulda thought that was more INsecure than the flat file of Waks Ask & Answer script.
PHPAskit is just as insecure [as Wak's Ask&Answer] only people think it's secure because it's not flat file.
And so on, and so forth.
For the record, there is no difference in security in using one method or another, as long as they are both done properly. Wak's Ask&Answer and CuteNews (flat file scripts) aren't. PHPFanBase and SimpleDir (MySQL scripts) aren't either. Jem's Bella~ series and FlatPress however, are flat file scripts and they are fine. Similarly, WordPress and PHPAskIt are MySQL scripts and they are absolutely fine.
Yes, it's true that hackers discover more and more vulnerabilities in scripts and programming languages all the time, so those scripts may not always be secure in their current versions so it is very important to keep your scripts up to date. But to say a script is insecure because of the method of storage that they use is stupid and shows complete ignorance. If you are going to say a script is insecure, don't just back it up with "well I looked it up online and it said it was insecure". People seem to like publishing fake reports of insecurities (probably where all this is coming from, actually... PHPAskIt had a nice security hoax published about it - and in case you're still living in the dark ages it was wrong) so "looking it up online" isn't always the answer.
If in doubt, ask someone who knows what they're talking about. :)
It has been brought to my attention that there is a serious security vulnerability within all versions of PHPAskIt, which states that the conversion scripts for Wak's Ask&Answer and the classic Ask&Answer can be hacked through the directory variables.
The security vulnerability is a hoax. The import files CANNOT be hacked through the $qadir and $dir variables even with register_globals on.
I find it such a shame that the person who discovered this has gone round telling everyone who will listen that my script's insecure (and every major security site there is) but 1) won't inform me (I found out through a Google search) and 2) makes things up. I've contacted them several times but each time the mail has bounced back. *Rolls eyes* How mature.