Security

You and just about everyone else, it seems, are spending more and more time on Facebook and Twitter, updating statuses and checking friends' tweets. That's all well and good, of course, but the amount of personal information that all of you share in real time, and the level of trust implicit with the social networking sites, do pose particular security and privacy problems.

A recent study from Sophos found that Facebook users reveal a lot of personal information to new friends, including ones they really don't even know or have never met. Using fake profiles, Sophos sent out friend requests to 100 random Facebook users, and more than 40 percent blindly accepted, giving the company access to birth dates, e-mail addresses, phone number and addresses--private information strangers shouldn't have.

The openness of Twitter--anyone can follow anyone else, and posts are indexed in search engines--makes it a nirvana for spammers. Kaspersky says there are nearly 500,000 new unique URLs that appear in Twitter posts daily, and of those, anywhere between 100 and 1,000 are malware attacks.

Here's a look at some of the specific threats users of the sites face and what they can do about it.

FACEBOOK

A rogue app that appeared early in the year sent notifications to Facebook users reporting they were violating terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users.

(Credit: Trend Micro)

Problems: Malware, account hijacking, phishing, and social engineering

The biggest malware risk is Koobface, (an anagram of Facebook), which is a worm that targets social networking sites and affects Windows-based computers. Once a computer is infected, it hijacks the Facebook account and sends messages to other friends of the victim, enticing them to click on a link. The link redirects to a Web site where they are prompted to download software ostensibly to watch a video. However, there is no video; only malware that infects the system, blocks access to security sites, and can be used to steal sensitive information from the computer, such as credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and distribute fake antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface now can automatically create new profiles using infected machines, he said.

Facebook accounts can be hijacked in several ways. A brute-force attack can be used to guess passwords. Users can fall for phishing attacks by clicking on links in messages or e-mails purportedly coming from friends that redirect to a fake Facebook log-in page. Or malware such as Koobface can steal passwords.

Social engineering is a huge problem for social networks because the trust that users have for messages and posts from friends can be easily exploited by scammers. Hijacked accounts are used to send everything from spam touting weight loss plans to links that install malware and steal passwords to fake emergency messages saying a friend is stranded in another country and needs someone to send money. Scammers are also sending e-mails that look like they come from Facebook and include an attachment that contains a Trojan.

Solutions: Use antivirus and anti-malware software and keep it up-to-date. Install security updates for operating system and other software. Use software like AVG Linkscanner or McAfee Site Adviser to protect against phishing and malware attacks. Become a fan of the Facebook Security page, which has posts related to all sorts of security issues, tips, resources and other information. If you think you've been infected with Koobface or other malware you should reset your password and notify friends who may have been affected.

Use an up-to-date browser that features an antiphishing black list, such as Firefox 3.0.10 or Internet Explorer 8. Be aware of where you enter your password. Check to see that you are logging in from a legitimate Facebook page with the Facebook.com domain. Be wary of unusual stories or offers that are too good to be true. Verify information with sources directly. Be cautious of any message, post or link that looks suspicious, requires an additional log-in or asks you to download or upgrade software. If a link seems odd or lacks context, don't click on it. Don't click on links or open attachments in suspicious e-mails. You can add a security question from the "Account Settings" page if you would like an additional layer of protection.

Problem: Rogue applications

Facebook doesn't vet every app that appears on the site, which means there is a risk that some apps will have bugs in them or will violate Facebook's privacy policies. Facebook has proven diligent in removing rogue and problem apps quickly when it is notified, but unlike iPhone apps, pretty much anyone can write a Facebook app. "Because the code is not always of professional standard or hosted or audited by Facebook, we've seen innocent apps compromised externally and used to deliver malware, such as fake antivirus," Ferguson said. One rogue app that appeared early in the year sent notifications to Facebook users reporting them in violation of terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users, according to Trend Micro.

Solution: See solutions above, and be cautious about adding applications. Research the developers and perform Web searches to see if anyone has complained about the app. And ask yourself, what value does the app provide? Do I really need to play zombie?

Problem: Privacy leaks due to user error

Because people control who they are friends with on Facebook it is easy for users to have a false sense of security about the privacy of their data and activities on the site. Social engineering attacks, lax security practices by users like using weak passwords and design or implementation problems with the site itself can undermine the privacy protections users rely on. Users who fall for phishing scams and get their accounts hijacked have everything in their account exposed to strangers who can then use the different types of data for identity fraud or to target the victim's friends with social engineering attacks.

Solution: See solutions above. Also, use unique logins and passwords for each Web site you access. Use strong passwords, change them often and don't share them with anyone.

These instructions explain how to keep most people from viewing your friends list on Facebook.

(Credit: CNET)

Problem: Privacy leaks due to design or implementation issues

Privacy advocates contend that Facebook's lenient apps approval process, privacy policies and confusing privacy settings put users at risk. Two weeks ago, Facebook asked users to configure their privacy settings. The options were confusing and many people were inclined to just keep the default settings, which are set to make the data visible to the Web rather than opting to use the old settings established by the user. Screenshots and descriptions are detailed on this photo gallery.

Many people have complained that it is difficult to figure out how to change the privacy settings, that they are not intuitive and that there doesn't seem to be one central place for that. And using Facebook Connect with outside apps, like the iPhone app Foursquare, can expose more information than a user expects to share. The new privacy changes at Facebook have prompted the Electronic Privacy Information Center to ask the Federal Trade Commission to investigate.

Facebook encourages people to share their full names, date of birth, home town and other information, all pieces of information that are commonly used in identity fraud. Scammers on underground sites even refer to Facebook as a "free date-of-birth look up service," according to Ferguson. People don't realize that their profile information can be accessed by total strangers who happen to be in the same groups or networks unless they specifically change the settings. People who don't trust random apps--which in general have access to profile information even if it isn't necessary to the function of the app--don't realize that the apps their friends are using also have access to their data. "Friends apps can access most of your profile, interests and groups. There is no way to prevent them from accessing your name, profile, photo, town and gender," said Joseph Bonneau, a PhD candidate in security at the University of Cambridge. In response to user feedback, Facebook made a change that allows users to hide their friend lists from everyone but their friends, a Facebook spokesman said.

Solution: CNET has a tutorial on how to hide your Facebook friends list by clicking on the pencil in the friends box on your profile. Detailed instructions and tips on dealing with Facebook privacy settings are available on the DotRights.org site and on the All Facebook blog. Facebook also has a blog post about the privacy changes.

Problem: Privacy leaks related to marketing

The relationship between the apps and advertisers can also cause problems. Adding an app allows the app to show ads inside the Facebook domain, and that can leak a user's profile information to the advertiser, said Peter Eckersley, a staff technologist at the Electronic Frontier Foundation. Meanwhile, cookies and other browsing tracking technology combined with data from social networks can be used by marketers to identify users for targeted advertising and other purposes, Eckersley said, providing details in a blog post on different ways data can be leaked from social networks to third-party tracking firms. Once marketers know a specific person's user name, they can use that identifier in the URL to get to a user's public profile page, according to Eckersley. "They can create a social graph of your date of birth, city, employment, relationship status, all uniquely codified in a way that can be automatically sucked into a database," he said.

Solution: Pick a good cookie policy for the browser, such as manually approving all cookies or only keeping cookies until the browser is closed. Disable Flash cookies. Use Firefox extensions such as RequestPolicy and NoScript to control when third-party sites can include content or run code in the browser page. Use the Targeted Advertising Cookie Opt-Out plugin or AdBlock Plus to block ads. To hide your IP address and other browser characteristics, use Tor via Torbutton.

Problem: Information used to suppress dissent and target political activists

As with e-mail, blog postings and other public expressions of dissent, Facebook and Twitter have been used by governments to target protesters. The Wall Street Journal reported earlier this month that family members of Iranian Americans had been arrested or questioned because of anti-Iranian government posts on Facebook by members outside the country. In other instances, Iranians living abroad were forced to log into their Facebook accounts or reveal passwords to government officials as they arrived at the Tehran airport and some even had their passports confiscated because of their political posts. In the U.S., the EFF says, officials have taken actions against U.S. citizens based on information discovered on their social networks; the group has sued the CIA and other agencies for allegedly refusing to release information about how they are using such sites in surveillance and investigations.

"Basically, every time you post something to Facebook you should assume that the whole world will know what you've posted, your family, employer, the government, people you don't trust," Eckersley said.

Solution: Think carefully about what information you want to share about yourself and consider only posting information you would want to let the general public see.

TWITTER

This screen shot shows a Koobface attack message on a Twitter page.

(Credit: Trend Micro)

Twitter has many of the same malware, phishing, hijacking and social engineering issues that Facebook has, and the solutions for those problems would be the same. Because users don't provide much personal information to Twitter, and can even create accounts using all fake information, and because anyone can follow anyone else, there aren't the same issues with privacy, either. But that makes life easy for spammers.

Security does seem to be a worrisome thing with Twitter. The site has had several serious problems from employee accounts getting compromised. In January, someone hacked into the Twitter internal network -- possibly by guessing the password -- and gained access to the Twitter accounts of President Obama, CNN anchor Rick Sanchez, and 31 other high-profile Twitterers. In May, someone broke into Twitter's network and gained access to 10 accounts, which appeared to include Britney Spears and Ashton Kutcher. In that breach, a hacker was able to gain access to a Twitter employee's Yahoo account through the password recovery system and from there get information from other sites, including access to the employee's Twitter account. And last week, the legitimate account of a Twitter employee was used to hijack the site and redirect visitors to an external page displaying a banner for the "Iranian Cyber Army."

Meanwhile, Twitter was crippled (and Facebook and other sites also affected) by a rare politically motivated denial-of-service attack targeting one user in August. However, that incident reflects more on Twitter's ability to keep the site up in the face of an attack and accessibility than it does about security risks to users.

Twitter users are susceptible to getting their accounts hijacked, and the site has been targeted by clickjacking pranks. In these social engineering attacks, users were encouraged to click on links that distributed the original tweet to all of the Twitter user's followers.

Users with large numbers of followers have an added responsibility to be careful, particularly when setting accounts to automatically post items from news feeds. A malicious post on an unmoderated news feed that venture capitalist Guy Kawasaki was re-tweeting distributed a Trojan to more than 139,000 followers in June.

Kaspersky offers a Krab Krawler tool that analyzes tweets as they get posted on Twitter and blocks any malware associated with them. Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links. And Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Blogger, Gmail, Google and a host of other popular sites. To keep up with security issues on Twitter follow Twitter's Spam Watch account.

Social networks are also susceptible to other serious security problems that can hit any type of Web site. For instance, last week passwords of 32 million stored in plain text on the RockYou site were exposed by a SQL injection attack, according to security firm Imperva. Because the passwords are used on other affiliate sites to the social networking application maker, the breach jeopardized other accounts, like Gmail, Hotmail, and Yahoo.

New cybersecurity chief Howard Schmidt

(Credit: The White House)

The White House's new cybersecurity chief faces a tough agenda, but will be able to draw on the lessons of a 40-year career, including stints at Microsoft and eBay.

Former security adviser Howard Schmidt is returning to the White House as President Obama's new cybersecurity coordinator, the White House announced Tuesday.

In his new role, Schmidt will report to the National Security Council. Schmidt will also "have regular access to the president," said an official who spoke to The New York Times.

Earlier this year, President Obama initiated a review of the government's cybersecurity policies in an effort to streamline operations. Turf wars among various agencies and a perceived weakness in the Department of Homeland Security had raised red flags, prompting the president to declare that the country was not adequately prepared on the cybersecurity front.

Following that review, the White House identified a need for a new cybersecurity chief, then plunged into a tricky, months-long process that now brings Schmidt back to public service.

President Barack Obama greets his new White House cybersecurity chief Howard A. Schmidt in the Cross Hall of the White House.

(Credit: Official White House Photo by Lawrence Jackson)

In a recorded speech introducing himself, Schmidt said he sees information technology as offering great opportunities but also great dangers to national security, public safety, economic competitiveness, and personal privacy. As dependence on technology increases, he said, the need to protect our security and privacy also increases.

As such, Schmidt said that the president has directed him to focus on several key areas:

• developing a new and comprehensive strategy to secure U.S. networks to ensure an organized response to future cyber incidents;
• beefing up both public and private partnerships in the U.S. and abroad;
• promoting research and development of next-generation technologies;
• and leading a national campaign to promote cybersecurity, awareness, and education.

Acknowledging that Washington can't solve cybersecurity problems on its own, Schmidt said his agenda is to bring together the government, the private sector, and other stakeholders as part of a new and comprehensive cyberstrategy to strengthen online defenses.

Following Schmidt's appointment, a variety of security analysts offered their thoughts.

In a Tuesday blog post, Randy Abrams of security vendor ESET said that Schmidt is very smart and personable, possessing a depth of knowledge and experience that makes him one of the best possible candidates for the job. But Abrams cautioned people not to expect miracles or fast changes as Schmidt will face huge obstacles trying to coordinate security across different government agencies, most of which have people who think their way is the only way to do things.

Phillip Dunkelberger, president and CEO of security vendor PGP, where Schmidt serves on the board of directors, said: "Howard's familiarity with public sector, private sector, large vendors and small innovative companies should be a great asset to this unique position; one that will just expand as our nation's dependency on cyber communications continues to grow." He also stressed that Schmidt will need to jump in quickly and form a solid working relationship with the Department of Defense and with the federal government's chief information officer, Vivek Kundra, and chief technology officer, Aneesh Chopra.

Schmidt brings to his new post a lengthy resume of government service, with a particular niche in computer crimes and forensics. Early in his career, he worked for the FBI's National Drug Intelligence Center, where he ran the Computer Exploitation Team. He also was a special agent and program director for the Air Force, where he set up one of the government's first dedicated computer forensic labs.

His new post will be Schmidt's second stint at the White House. In December 2001, just after the 9/11 attacks, he was appointed vice chairman for President Bush's Critical Infrastructure Protection Board and deputy to former White House cybersecurity czar Richard Clarke. Schmidt left his post in February 2003 to return to the private sector. During his tenure with the Bush administration, he helped create a new cybersecurity plan, which at the time was criticized as being too watered down, a charge that Schmidt disputed.

In the private sector, Schmidt served as chief security officer for Microsoft from 1997 to 2001 before joining the White House. After leaving his government post, he joined eBay in 2003 as vice president for security.

More recently, Schmidt was the president and CEO of the Information Security Forum, an international nonprofit organization that focuses on risks and research in the cyberworld.

Updated December 23, 4:00 a.m. PST with comments from security analysts.

What Twitter's homepage looked like before it went down on Thursday night.

(Credit: CC u07ch/Flickr)

Twitter stumbled again overnight on Thursday. But this time, it wasn't the work of the "fail whale," the cuddly cartoon personification of the site's excessive technical baggage. Rather, the site was replaced with a foreboding message from "Iranian Cyber Army" before crashing entirely, indicating that it had been the victim of a malicious attack that targeted its internal servers.

Co-founder Biz Stone posted a brief clarification on the issue late on Thursday night. "Twitter's DNS records were temporarily compromised tonight but have now been fixed," he explained. "As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we've investigated more fully."

At the risk of sounding like an evening-news anchor calling attention to exactly how dangerous your treadmill is or how many diseases you can get from the ball pit at Chuck E. Cheese, I think it's time to explore the question: Is it safe to use Twitter?

For one, Twitter's track record with security has been shaky at best. A security flaw this spring exposed the data of a number of employees and allowed a hacker to pilfer some internal documents. Several high-profile accounts, like those of Britney Spears, Ashton Kutcher, and CNN anchor Rick Sanchez, have been targeted individually. Twitter has been the victim of phishing attacks. Other hackers have proved that Twitter accounts can be set up specifically to corral botnets of infected PCs. And in perhaps the biggest incident of all, a politically motivated denial-of-service attack in August that targeted multiple social-media sites managed to cripple Twitter entirely.

Think of it this way: if Facebook, a far bigger and more mainstream site that's had concerns about user privacy splashed all over the news recently, saw its homepage replaced with a nefarious political message, there would probably be a fresh round of calls for CEO Mark Zuckerberg's resignation. Twitter's heavy users are, for better or for worse, accustomed to sporadic downtime and glitches. They're also less likely to ever visit the Twitter.com homepage, considering the service has so many points of entry--text message, as well as third-party apps for mobile, Web, and desktop. Users have become accustomed to logging into third-party applications with their Twitter credentials.

That, perhaps, makes the overnight hack a bigger concern. Even though it's unlikely that user accounts were compromised in this DNS redirect, it's yet another sign that Twitter's security operations have time and again proven weak enough that the service doesn't exactly seem watertight.

A political message, or just plain obnoxious?
On the other hand, we still don't know much about this attack and it may have been less sophisticated than some may fear. One, nobody's exactly sure yet who the hackers were. "Of course, just because a message saying 'This site has been hacked by Iranian Cyber Army' has been posted on a Web page does not necessarily mean that hackers from Iran are responsible for the defacement," Sophos security consultant Graham Cluley wrote on his blog Friday.

Additionally, Cluley said, the aim seems to have been to either get a political message through or to simply be obnoxious. "Fortunately there is no indication at this point that the page was carrying malicious code, and this attack appears to have had political motivations rather than being designed to steal confidential information from users," he wrote.

"It really looks like it was people were redirected to a 'hactivism' site," weighed in fellow Sophos analyst Beth Jones via e-mail. "There was no malicious code on the site claiming to be the 'Iranian Cyber Army' either. It looks like they just hacked the registrar to redirect traffic. So it's quite probable that none of Twitter's own servers were touched."

Another reassurance is the fact that Twitter simply doesn't have the kind of sensitive data that a Facebook or Google does. While it does have millions of mobile phone numbers stored to power its text-message app, not to mention archived private "direct messages" between users, Twitter does not index a whole lot more that isn't otherwise public. Facebook, for example, has many members' credit card numbers on hand (if they've ever used its "gift shop" feature), not to mention extensive personal data in profiles like addresses, birthdays, and family connections. Members who are still concerned about the security of their Twitter accounts can take the obvious step of changing their Twitter passwords to something that they don't use on their e-mail, Facebook accounts, or elsewhere--just in case.

Beth Jones says she has confidence in Twitter. "I wouldn't say their security is second-rate by any means," Jones said via e-mail. "As it stands, they weren't actually compromised, but I can see from a user point of view the questions and concerns. At Sophos we see a new site compromised every 3.6 seconds. That's easily close to 24,000 sites a day, and of those, the vast majority are legitimate sites that get hacked."

That doesn't mean that Twitter shouldn't start making it more clear that it takes security seriously. If the company, which is now beta-testing a "Contributors" feature that may pave the way to paid corporate accounts, begins storing financial information, we can only hope that their security operations are turned up a few notches. Or, ideally, an order of magnitude.

This post was expanded at 6:23 a.m. PT with comment from Sophos' Beth Jones.

Mozilla has updated its Firefox browser to patch three critical security holes.

Firefox 3.5.6 and 3.0.16 both fix earlier memory corruption issues. "We presume that with enough effort at least some of these could be exploited to run arbitrary code," the security advisory said.

In addition, the earlier version of Firefox 3.5 had two critical vulnerabilities in its technology for playing Ogg-format media, one with the liboggplay media library and one with the libtheora video library.

The patches are among 62 fixes in the new Firefox, software that's translated into dozens of languages and runs on multiple operating systems. Users of the OS/2 operating system will be delighted to know that problems with Firefox's full-screen mode and with print preview have been resolved.

"We strongly recommend that all Firefox users upgrade to this latest release," Mozilla said in a blog posting. By default, Firefox downloads updates automatically then prompts users to restart when it's ready; updates also can be retrieved through the "check for updates" menu option.

Mozilla plans to cease supporting Firefox 3.0 in January. Meanwhile, a significant update, Firefox 3.6, is due by the end of the year.

Correction 1:23 p.m. PST December 17: This story was corrected to note that it was the earlier versions of Firefox that suffered the vulnerabilities.

Cloud computing and virtualization are just two technologies that cybercriminals are anxious to exploit, forecasts a report released Wednesday by security vendor Trend Micro.

The year ahead offers new opportunities for cybercrooks as they hunt for more targets and new challenges as people try to protect themselves, says Trend Micro's 2010 Future Threat Report (PDF).

Cloud computing and virtualization can be cost effective. But since they're beyond the confines of a company's own firewall, they could be potentially open areas for cybercriminals to attack. October's Sidekick data outage highlighted the vulnerabilities of the cloud, which cybercrooks are likely to abuse, according to Trend Micro.

Social networks have proved to be an appealing area for bad guys, a shift that Trend Micro thinks will increase through the use of social engineering. Cybercrooks will try to enter people's communities and circles of friends at sites like Facebook in an attempt to steal personal information.

Malware outbreaks will shift from the global landscape to more local, targeted attacks, similar to the strategy employed by Conficker, which Trend Micro calls a "carefully orchestrated and architected attack."

Trend Micro also believes the move toward international domain names orchestrated by ICANN will open up the playing field for more phishing attacks as crooks create look-alike domains names using the Cyrillic alphabet instead of Latin characters.

A few other trends for 2010 and beyond to keep us all on the alert:

• Windows 7 will have an impact since it is less secure than Vista in the default configuration (presumably because User Access Control (UAC) in Win 7 is not set to its most restrictive level by default).
• Drive-by infections are the norm--one Web visit is enough to get infected.
• Malware is changing its shape--every few hours.

To protect yourself, Trend Micro dispenses the usual advice we've all heard before. But it bears repeating--keep your PC patched and updated, don't click on strange e-mail attachments, make sure the online stores you shop at are secure (https vs http), and don't use the same password for all Web sites.

Facebook users are too willing to give out their personal information, security firm Sophos has found.

According to Sophos' Australian team, which conducted a study to see how likely Facebook users were to offer up personal information, 41 to 46 percent of the 100 people Sophos contacted "blindly accepted" friend requests from two fake Facebook users created by the security firm.

After becoming friends with Sophos, the security firm was able to access up to 89 percent of the users' full dates of birth, all of their e-mail addresses, where they went to school, and more. Half of all the users Sophos befriended displayed the town or suburb where they live. They even offered up information on family and friends.

Younger users were "more liberal" with their workplace or school information than older users. "Both groups were very liberal with their e-mail addresses and with their birthdays," the security firm wrote in a blog post Sunday announcing the results. "This is worrying because these details make an excellent starting point for scammers and social engineers."

The security firm added that "10 years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator. Sadly, these days, many social networkers are handing over their life story on a plate."

Sophos' concerns over the way Facebook users are keeping information private comes on the heels of a statement released last week by Facebook founder Mark Zuckerberg discussing why Facebook users need to use the privacy tools his company has created. On Sunday, Facebook also announced the formation of a safety advisory board, comprised of five Internet safety groups.

PC Tools' Internet Security suite for 2010 gets some things right, and frustratingly drops the ball on others. It's hard not to like the feature set, which is robust, and the recent efficacy badge from Virus Bulletin. However, some of the problems in the suite are glaring and will potentially scare aware users who might otherwise find it a good security tool.

PC Tools Internet Security 2010 in pictures

The default landing page should appeal to those who like quick glances to ensure everything is running smoothly. Green checkmarks or red Xes make it easy to see if you're at risk. Drilling deeper down to the settings pages could be better, though. Too often, the plain text felt squished by the chunks of white space on the right, and made it unnecessarily hard to parse logs and fine-tuning controls like the firewall or advanced scan settings.

The performance benchmarks weren't horrible, but they didn't impress, either. Falling somewhere in the middle of its competitors, and notably slow especially on computer start-up times, the suite could be much more nimble. Also annoying is that when held up against most of its competitors, the trial version is noticeably hamstrung. You only get 15 days to make a decision with the suite, and it won't remove any threats it detects.

What PC Tools fans will like is that although two earlier tests by Virus Bulletin this year gave PC Tools Internet Security 2009 failing marks, the first test of the new version passed the test on Windows 7. So for those with new computers, PC Tools' slightly lower price point of $50 for three licenses for its premium product may stand out as a good deal. Read the full review at CNET Reviews.

Google wants to speed up a key part of the Internet's inner workings called the Domain Name System and is inviting technically savvy folks to try their ideas out.

The DNS is a crucial part of the Internet. It converts the text addresses people can remember into the numeric Internet Protocol addresses actually used to locate information on the Internet. For example, CNET.com's IP address is 216.239.122.102.

When you visit a Web page, a DNS server that's part of a vast distributed network often must perform that conversion--called resolving a host--many times. With the Google Public DNS service, Google wants to be that server.

"Our research has shown that speed matters to Internet users, so over the past several months our engineers have been working to make improvements to our public DNS resolver to make users' Web-surfing experiences faster, safer, and more reliable," said product manager Prem Ramaswami in a blog post introducing the Google Public DNS service.

Google's search service already has made it central to the workings of the Internet. If its DNS service becomes popular, Google could become even more significant.

For those who want to give it a whirl, Google posted instructions on using the Google Public DNS service. For those worried about what traces your Web surfing will leave in Google's records, check the Google DNS privacy page.

... Read more

For about the 4,000th time in the last five years, I tried to sign up for a new Web service, but it wouldn't accept my proposed password. Apparently, the site operators decided that passwords should contain only letters and numbers. Aarrrrgh! This isn't the first time I've seen this idiocy, and it won't be the last. But it should be.

Guidelines on how to construct a strong password almost uniformly recommend using a mixture of upper and lower case letters, numbers, and symbols. Tools for generating passwords (for example, strongpasswordgenerator.com) encourage the use of symbols. There's even a mathematical formula that precisely calibrates how much more unguessable symbols make a password. So why don't sites support symbols in passwords? It makes no sense.

The strongest case against limited-character passwords isn't technical. It's not about "information entropy." It's about human factors and behaviors. Human factors dominate the success (or failure) of all information systems, including password systems. Humans are lousy at choosing random or quasi-random sequences--exactly the kind of high-entropy, hard-to-guess passwords that information security professionals think ideal. People are even worse at remembering said passwords.

So the pragmatic balance is a middle ground--passwords that are strong enough to thwart hackers' brute-force attacks and guessing algorithms, but easy enough that when someone is presented with a sign-in prompt, they're not stumped, frustrated, and ready to reset all their pass codes back to something like goofydog that easily lets hackers break into their account.

One good solution is using a password generator, such as PasswordMaker. Give it a Web site's URL, as well as a master password; it hands back a strong password such as Ga9i)t|Z that's unique to that site. A hundred different Web sites? No problem! A hundred different passwords, each of them very strong, yet the user has to remember just one (or for the very paranoid, a few) master passwords. For those using Firefox, there's even a plug-in; give it your master password once (per browsing session), and a single keypress automatically fills in the correct strong password whenever it's needed. It's not quite smart card or SecurID strong, but it's plenty strong for most uses, yet easy.

Sites that restrict the characters that can be used in passwords--they are the monkey wrench in this machine, the fly in this ointment. They don't accept the strongest of passwords, thus thwarting users' attempts to pragmatically balance password strength and ease by using password generators. This just encourages users to fall back to easy-to-remember, easy-to-hack passwords. Sigh. Sites that restrict password characters? You are doing it wrong.

While we're waiting for the laggard site operators to get passwords right, there is a good fallback: mnemonic abbreviations. Take a phrase you can easily remember, and turn it into an acronym. For example, "Coffee is my favorite beverage on Planet Earth" might become CimfboPE. You can spruce this up a little further, if you like, by doing letter-number substitution (e.g. 0 for o, 1 for i, 3 for e, and so on,). Hackers probably aren't going to guess C1mfb0PE any time soon, yet it's surprisingly easy to recall when it's needed. Farhad Manjoo's article "Fix your terrible, insecure passwords in five minutes" explains this technique well. For some, mnemonic abbreviations are a fallback; for others, they may be strong enough to use for all passwords. After all, anything's better than goofydog.