The flash notice isn’t such a big security risk on its own but from a banking site I’d expect they would be more careful by
 - informing users that a (useless) banner requires Flash on your computer (Flash being a popular attack vector is good for gaming sites, from a banking site I’d expect something else)
 - informing users upfront what ‘Profacts.be‘ is about and a detailed explanation on what kind of data they are sharing with that partner (“Profacts is a market research agency” does not sound the kind of agency I’d be happy to share my data with, a banner with ‘gegevens blijven volledig vertrouwelijk’ isn’t sufficient)

You get these kinds of notices often when you visit newspaper or general interests sites and that’s fine. However when visiting a banking site ‘everything’ that might raise suspicion or confusion should be avoided.

1. Evernote

Evernote makes it easy to remember things big and small from your everyday life using your computer, phone, tablet and the web.

Evernote (http://www.evernote.com/evernote/) is available for iPhone, Mac and Windows and allows you to make lists of things you don’t want to remember. Besides the ‘todo-list’ it also allows you to save entire websites (with the use of browser plugins) in your Evernote repository. This is the feature I like most, it allows me to store an entire website for later (offline) reading on my iPhone.

2. Reeder

Reeder is a Google reader client

Reeder (http://itunes.apple.com/us/app/reeder/id325502379) is an RSS reader that allows you to read your feeds, mark interesting articles and then have them synced once you get back online.

3. Foursquare

Make the real world easier to user

Foursquare (https://foursquare.com/) is a social app allows you to track where you have been. It allows you to keep track of where your friends are and notifies you if you ‘check in’ to a building where one of your friends is.

4. Echofon

Echofon (http://www.echofon.com/ is a family of Twitter apps.

Echofon is my preferred twitter app on iPhone because it’s straightforward to use and I’ve rarely had it crash.

5. Gorillacam

camera app for iPhone

Gorillacam (http://joby.com/gorillacam) allows you to create pictures with your phone. An “anti-shake” provides a way to take pictures when your phone is steady, helping you get blur-free photos.

6. Toggl

Time Tracking that works

Toggl (https://www.toggl.com/ is an easy of way of keeping track of the amount of time you spend on different projects. It’s a must have if you want to get organised.

7. Tap&Track

Calorie Counter (Diets & Exercises)

Tap&Track (http://itunes.apple.com/be/app/tap-track-calorie-counter/id307749752″ allows me to keep track of what I’m eating and how much I’m doing sports.

8. Opera Mini

Smarter Mobile Browsing

Opera Mini (http://www.opera.com/mobile/) is fast and easy to use browser and a good alternative to the default Safari.

9. UITagenda

De meest volledige cultuur- en vrijetijdsagenda voor Vlaanderen en Brussel!

UITagenda (http://www.uitinvlaanderen.be/iphone) is an easy way to keep track of what events are happening in Flanders and Brussels.

10. mijnTVgids

De mijnTVgids app is volledig gratis beschikbaar op iPhone, iPod Touch, Android, Windows Phone, Nokia smartphones en HP Web connected printers.

mijnTVgids (http://mijntvgids.appstrakt.be/) gives a slick interface on what’s playing on television.

404.php
comments.php
content-page.php
footer.php
header.php
index.php
page.php
sidebar.php
single.php

Of course you’ll have to add the style.css file and include custom Javascript and CSS files in your header.php file.

The old site used to look like this :

This site uses Google Fonts so you might want to turn on Javascript for all visual effects.

I debugged the problem by looking at the SQL-queries performed by WordPress. One query returned an error :

SELECT SQL_CALC_FOUND_ROWS  wp_posts.* FROM wp_posts  INNER JOIN wp_term_relationships ON (wp_posts.ID = wp_term_relationships.object_id) WHERE 1=1  AND ( wp_term_relationships.term_taxonomy_id IN (1) ) AND wp_posts.post_type = 'post' AND (wp_posts.post_status = 'publish') GROUP BY wp_posts.ID ORDER BY wp_posts.post_date DESC LIMIT 0, 10

Because the MySQL server was configured to honor ONLY_FULL_GROUP_BY it gave the error “‘test.wpposts.post_author’ isn’t in GROUP BY”.

I could not disable ONLY_FULL_GROUP_BY serverwide so I had to insert it in the WordPress-code.

The best place to do this was in the wp-includes/wp-db.php. Look for the function db_connect() and add the code below as the last line of the function.

mysql_query( " SET sql_mode='ANSI,TRADITIONAL' ", $this->dbh);

Note that every time you perform an upgrade of WordPress you’ll have to add this line back to the source code.

UPDATE

After implementing this change I was unable to post new posts or pages through the WordPress interface. Doing Quick Posts (through the dashboard) and update via XML-RPC works without a problem.

wget -q -O - checkip.dyndns.org|sed -e 's/.*Current IP Address: //' -e 's/<.*$//'

It reads a log file and looks for a match based on keys in an iplist. Afterwards the result is summarized and grouped by a specified field. For example, say you have the log file

192.168.1.1 - - [1/Apr/2010:1:1:39 +0200] "GET /favicon.ico HTTP/1.1"
192.168.1.3 - - [1/Apr/2010:1:1:39 +0200] "GET /favicon.ico HTTP/1.1"
192.168.1.1 - - [1/Apr/2010:1:1:39 +0200] "GET /favicon.ico HTTP/1.1"
192.168.1.2 - - [1/Apr/2010:1:1:39 +0200] "GET /favicon.ico HTTP/1.1"
192.168.1.3 - - [1/Apr/2010:1:1:39 +0200] "GET /favicon.ico HTTP/1.1"
192.168.1.2 - - [1/Apr/2010:1:1:39 +0200] "GET /favicon.ico HTTP/1.1"
192.168.1.3 - - [1/Apr/2010:1:1:39 +0200] "GET /favicon.ico HTTP/1.1"

and you would like to have all the entries for IPs 192.168.1.2 and 192.168.1.3. Instead of grepping the content for every IP manually you can use the script below. Put all the IPs in an iplist similar to this

1234 | 192.168.1.1 | MyNet
4567 | 192.168.1.2 | MyNet
8901 | 192.168.1.3 | MyNet
2345 | 192.168.1.4 | MyNet


<?php
/**
 *
 * Parse a log file and group by entries from another file
 *
 * This script reads a log file and then groups the entries
 * according to keys found in an iplist
 * There's no input validation so make sure neither the
 * log file or iplist contain malicious code
 *
 * This script is useful if you want to group log file entries
 * based on AS number or network name.
 *
 * 		Koen Van Impe				cudeso.be
 *		20100525
 *
 **/

// Configuration array
$config = array(	// file containing the IPs
					"iplist" => "BE.txt",
					// logfile with the individual entries
					"logfile" => "Log_BE.txt",
					// what field to use as a separator in iplist
					"separator" => "|",
					// position of the IP (0-based)
					"ippos" => 1,
					// position of the groupby field (0-based)
					"groupby" => 0,
					// newline after a logfile
					"newline" => false
				);

// Array for the resultset
$result = array();
$matchcount = 0;

// walk through the IP list
if (file_exists($config["iplist"])) {
	$file_handle = fopen($config["iplist"], "r");
	while (!feof($file_handle)) {
		$fields = explode("|", fgets($file_handle));
		$key = (string) trim($fields[$config["groupby"]]);
		if (strlen($key) > 0) {
			$data = trim($fields[$config["ippos"]]);
			$result[$key][] =  $data;
		}
	}
	fclose($file_handle);

	// read the log file
	if ((file_exists($config["logfile"])) && count($result) > 0) {
		$logfile = file($config["logfile"]);

		echo "Parsing ".$config["logfile"]."n".
				"for matches in ".$config["iplist"]."n".
				"on field pos #".$config["ippos"]."n".
				"group by field pos #".$config["groupby"]."nnn";
		// walk through the resultset; scan the
		// log file for every entry
		// three foreachs ... optimization
		foreach ($result as $key => $value) {
			echo "n******************n$keyn******************n";
			foreach ($logfile as $line) {
				foreach ($value as $match) {
					// is position 0 and is not BOOLEAN
					if ((strpos($line, $match) === 0) or
					// position bigger than 0
						(strpos($line, $match) > 0)) {

							// we have a match
							echo "$line";
							if ($config["newline"]) echo "n";
							$matchcount++;
					}
					else $misscount++;
				}
			}
			echo "nnnn";
		}

		echo "nn$matchcount relevant entries found in ".$config["logfile"];
	}
}

?>

The mailing warns customers that there is a phishing attack ongoing. According to the mail, once infected, a virus on your computer lures you to a fake page where you are asked to enter your details.

So far so good. It seems like a good practice that banks try to warn their customers.

The mail contains a couple of links that should point you to sites that allow you to check if you are infected or not. Unfortunately the links point to another website. That website seems to have nothing to do with DB. It is a website for a “relationship marketing suite”. It is understandable that DB uses an external company to handle their mailings but I don’t get it … The message to their customers is “be on your guards” and then they ask you to click on a link that has nothing to do with DB?