Security

Cell phones and the Internet are great ways for romantic partners to stay in touch, but based on a recent survey of 14- to 24-year-olds, they're also being used to spy and harass significant others.

My report on the Associated Press and MTV study about youth digital abuse focused mostly on sexting and how youth respond to cyberbullying. But there was also some interesting data on how technology is being used for "dating abuse."

One of the findings of an MTV/AP youth survey

(Credit: AThinLine.org)

The study (PDF) found that 22 percent of youth involved in a romantic relationship say they feel like their significant other uses a cell phone or goes online to check up on them too often. The study also found that "more than 1 in 4 say their boyfriend or girlfriend has checked the text messages on their phone without permission," and more than 10 percent of the young people said that a boyfriend or girlfriend has demanded that they give them their password.

Whether by coercion or not, 26 percent said they had shared an online password with someone. Females (31 percent) are more likely to share passwords than males (22 percent). And though there isn't necessarily a causal relationship, 68 percent of those who have shared passwords report having been a target of digital abuse compared with 44 percent of those who hadn't.

Not surprisingly, a significant minority of the youth (12 percent) said that a boyfriend or girlfriend call them names, put them down, or say really mean things to them on the Internet or cell phone.

And about 1 in 10 said that a significant other demanded that they unfriend a former boyfriend or girlfriend on social networks.

The survey, conducted for The Associated Press and MTV by Knowledge Networks interviewed 1,247 people between the ages 14 and 24 in what was described as a nationally representative survey.

Teen dating violence subject of CBS Evening News report

(Credit: CBS Evening News (via CBSNews.com))

This data comes just as there is increased attention on teen dating abuse. CBS Evening News anchor Katie Couric reported last week that 29 percent of America's teens "say that they were emotionally, sexually or physical abused by their boyfriends and sometimes even girlfriends last year." Though technology doesn't cause nor necessarily play a role in teen dating violence, it clearly can amplify the problem, especially if a partner in the relationship is using a cell phone or computer to harass, stalk or spy on their partner as the AP/MTV survey has shown. Technology can also be used by partners to embarrass their significant others by making it possible for partner to details or their relationship online. One of the biggest downsides to "sexting" is the possibility of a partner sharing those images with others.

Marriage and family therapist Marty Klein is less concerned about kids sharing intimate photos with their partners than he about how some are misusing those images. "Take the sex out of sexting and what you have is a betrayal of trust," Klein said. The Internet, he added, "more clearly and sometimes more dramatically focuses our attention on problems that people have struggled with forever." In other words, the Internet and mobile technology don't cause these problems (that exist in offline relationships) but they can amplify them.

Couric also reported that calls and online chat to the National Teen Dating Abuse Helpline went up nearly 600 percent from March 2007 to March 2009. The Helpline's Web site has advice for teens including a section on helping to determine if you're being abused.

In conjunction with the release of the digital abuse survey, MTV launched A Thin Line, a Web site that provides resources to help youth deal with sexting, constant messaging, spying, digital disrespect, and cruelty.

PC Tools' Internet Security suite for 2010 gets some things right, and frustratingly drops the ball on others. It's hard not to like the feature set, which is robust, and the recent efficacy badge from Virus Bulletin. However, some of the problems in the suite are glaring and will potentially scare aware users who might otherwise find it a good security tool.

PC Tools Internet Security 2010 in pictures

The default landing page should appeal to those who like quick glances to ensure everything is running smoothly. Green checkmarks or red Xes make it easy to see if you're at risk. Drilling deeper down to the settings pages could be better, though. Too often, the plain text felt squished by the chunks of white space on the right, and made it unnecessarily hard to parse logs and fine-tuning controls like the firewall or advanced scan settings.

The performance benchmarks weren't horrible, but they didn't impress, either. Falling somewhere in the middle of its competitors, and notably slow especially on computer start-up times, the suite could be much more nimble. Also annoying is that when held up against most of its competitors, the trial version is noticeably hamstrung. You only get 15 days to make a decision with the suite, and it won't remove any threats it detects.

What PC Tools fans will like is that although two earlier tests by Virus Bulletin this year gave PC Tools Internet Security 2009 failing marks, the first test of the new version passed the test on Windows 7. So for those with new computers, PC Tools' slightly lower price point of $50 for three licenses for its premium product may stand out as a good deal. Read the full review at CNET Reviews.

You wouldn't necessarily expect it, but Avast and Google Chrome might be the next peanut butter-and-jelly combo in the software world. Google's nascent browser has paired with one of the most popular free security programs in the world so that when users run the Avast installer on a computer that has neither Chrome nor Avast, they'll be offered a chance to install Chrome simultaneously. This is the first such bundling for Avast in its 21-year existence.

The Chrome installation window in the Avast installer is cleverly polite.

(Credit: Screenshot by Seth Rosenblatt/CNET)

The Chrome option in the Avast installer does two things differently from the more familiar opt-out user experience that many programs provide in an installer in exchange for financial sponsorship. For one thing, the Chrome window only turns up if you don't already have it installed, but more importantly, it forces users to actively choose installation. Neither the "yes, install" nor the "no, don't install" radio buttons are checked by default. Of course, users are forced to check off "no" if they don't want it, but this should dramatically cut down on the incidence of accidental installations that tend to plague otherwise-similar piggybacking installs.

The Avast/Chrome combo may strike some as an odd couple, or at least more beneficial for Avast than for Chrome, but keep in mind that Avast has more than double the users that Chrome does. Google's Vice President of Product Management Sundar Pichai said Chrome had more than 40 million users at the Chrome OS press conference at the end of October, and the end of November saw NetApplications peg Chrome at 3.93 percent of the browser market, a 0.35 percentage point increase. Meanwhile, on Avast's Web site, the Czech Republic-based security vendor is preparing to fly its 100 millionth user to Prague on an expenses-paid trip.

A Google spokesman indicated that other deals might be in the works. "Users' response to Google Chrome has been outstanding, and we're continuing to explore ways to make Chrome accessible to even more people. This could potentially include distribution via a number of channels, such as the distribution we are currently doing with Avast."

CNET News staff writer Stephen Shankland contributed to this report.

An Avast virus definition file update late Wednesday accidentally marked hundreds of legitimate files as threats. The Czech Republic-based publisher Alwil responded quickly, issuing a fix less than six hours later, but some users are still dealing with the aftermath.

Restoring files improperly flagged as threats worked fine on my work computer, but not at home.

(Credit: Screenshot by Seth Rosenblatt/CNET)

Going through Avast's forums, the Avast-written guide for rescuing files falsely marked as threats should be quite simple. Force an Avast update, then from the main interface go to Menu, then Virus Chest. Right-click on the file in the chest you want to resuscitate, choose Scan to double-check that it's not a threat, then right-click on it again and choose Restore. Avast cautions that if that fails, you can choose Extract to put the file back where it came from.

For some instances of the Avast 5 beta and Avast 4.8, this doesn't work. The best solution I've found is the most annoying: run the installation file again. This certainly takes longer, but right now I've been unable to find any other solution that can be applied across the board. The one saving grace about reinstalling is that, at least for the files on my home computer that were affected, I didn't need to reconfigure any of the settings. The KMPlayer, IOBit Smart Defrag, and Find and Run Robot all retained their previous DLLs and other settings.

Keep in mind that this isn't the first over-eager definition file update. Two of the more recent ones include an incident from July that saw an update from Computer Associates flag a Windows XP system file as a virus, and last year AVG falsely identified a file from security provider ZoneAlarm as a virus.

If you're continuing to have problems from the Avast update, let us know in the comments below.

(Credit: Echometrix)

The Department of Defense has pulled a parental control product from its online store serving military families after learning that the company collects childrens' data, according to documents the Electronic Privacy Information Center (EPIC) obtained from the government agency.

EPIC has filed a complaint (PDF) with the Federal Trade Commission alleging that Echometrix, maker of FamilySafe parental control software, violates the Children's Online Privacy Protection Act by collecting personal information from children and disclosing it to third parties for market intelligence purposes. Echometrix denies the allegations.

After learning that the Defense Department's Army and Air Force Exchange Service (AAFES) Web site offers the Echometrix product for sale, EPIC filed a Freedom of Information Act request with the Defense Department.

The agency complied with the FOIA request. Among the documents provided to EPIC were e-mails between Echometrix and a manager at the AAFES Exchange Online Mall who wanted to know how customer information is collected and whether it is used for marketing purposes.

"During the installation process we fully disclose all of Family Safe's procedures and clearly display an opt-out button for all anonymous aggregate data sharing in our (EULA) End User License Agreement," an Echometrix e-mail explains.

"The collection of AAFES customer information (personal or otherwise) for any other purpose than to provide quality customer service is prohibited" by the agreement retailers sign to sell products through the AAFES site, the online mall manager writes in an e-mail. "Giving our customers the ability to opt out does not address this issue. [It] is prohibited in any case. Because of this, we must remove Sentry Parental Controls from the Exchange Online Mall."

Asked for comment, a Department of Defense spokeswoman said the Echometrix product was available on the online mall from September 25 until October 15. "To the best of our knowledge, no military personnel signed up for the service during the approximately three weeks it was available," Air Force Lt. Col. April D. Cuningham, the public affairs officer, wrote in an e-mail.

Echometrix collects information from children to help parents filter out Web sites, analyzes that information and then sells it to third-parties for market intelligence research, said Kimberly Nguyen, the EPIC lawyer who is handling the case.

The data includes personally identifiable information of children, including IM screen names which can be linked to e-mail addresses, she said.

"The collection of childrens' data raises serious privacy concerns, and even the Defense Department realizes that," Nguyen said in an interview.

Echometrix denied the allegations.

"Echometrix does not collect personally identifiable information or expose the source of any digital content. The company has never and will never collect, distribute or sell personal information as defined by COPPA (the Children's Online Privacy Protection Act)," the company said in a statement.

The FTC did not respond to an e-mail seeking comment.

Microsoft said on Thursday that it will offer six updates for 12 vulnerabilities next week including a critical hole in Internet Explorer that affects Windows 7 and other current versions of the operating system for which exploit code has been released.

Late last month, Microsoft said it was investigating an IE vulnerability after someone released proof-of-concept code affecting IE 6 and IE 7 that could be used to take control of computers.

Microsoft described the problem in an advisory issued November 23: "The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code."

Of the six updates Microsoft will release on Patch Tuesday, three of them are critical, according to a Microsoft security bulletin advance notification.

Software affected includes Windows 2000, Windows XP, Vista, Windows 7, Server 2003, Server 2008, Office XP, and Office 2003.

Google wants to speed up a key part of the Internet's inner workings called the Domain Name System and is inviting technically savvy folks to try their ideas out.

The DNS is a crucial part of the Internet. It converts the text addresses people can remember into the numeric Internet Protocol addresses actually used to locate information on the Internet. For example, CNET.com's IP address is 216.239.122.102.

When you visit a Web page, a DNS server that's part of a vast distributed network often must perform that conversion--called resolving a host--many times. With the Google Public DNS service, Google wants to be that server.

"Our research has shown that speed matters to Internet users, so over the past several months our engineers have been working to make improvements to our public DNS resolver to make users' Web-surfing experiences faster, safer, and more reliable," said product manager Prem Ramaswami in a blog post introducing the Google Public DNS service.

Google's search service already has made it central to the workings of the Internet. If its DNS service becomes popular, Google could become even more significant.

For those who want to give it a whirl, Google posted instructions on using the Google Public DNS service. For those worried about what traces your Web surfing will leave in Google's records, check the Google DNS privacy page.

... Read more

(Credit: Avast)

Czech Republic-based Avast issued an update late on Wednesday to its antivirus software that mistakenly flagged hundreds of innocent files as a Trojan. It fixed the situation five and a half hours later.

Falsely labeled as malware were programs from Adobe, Realtek, sound card drivers, and various media players, among others, according to a blog post on the Avast Support Center.

The errant update had been issued around 12:15 a.m. GMT. A new update was issued at 5:50 a.m. GMT that corrected the problem. Customers who did not use their computers between that time will most likely not be impacted, the company said.

The software was identifying the good files as the Win32:Delf-MZG Trojan, according to Avast.

Avast, based in Prague, did not respond to an e-mail late on Wednesday seeking comment.

False positives happen in the industry. In July, Computer Associates' antivirus software was falsely tagging a Windows XP system file as a virus, and last year AVG falsely identified a file from security provider ZoneAlarm as a virus.

For about the 4,000th time in the last five years, I tried to sign up for a new Web service, but it wouldn't accept my proposed password. Apparently, the site operators decided that passwords should contain only letters and numbers. Aarrrrgh! This isn't the first time I've seen this idiocy, and it won't be the last. But it should be.

Guidelines on how to construct a strong password almost uniformly recommend using a mixture of upper and lower case letters, numbers, and symbols. Tools for generating passwords (for example, strongpasswordgenerator.com) encourage the use of symbols. There's even a mathematical formula that precisely calibrates how much more unguessable symbols make a password. So why don't sites support symbols in passwords? It makes no sense.

The strongest case against limited-character passwords isn't technical. It's not about "information entropy." It's about human factors and behaviors. Human factors dominate the success (or failure) of all information systems, including password systems. Humans are lousy at choosing random or quasi-random sequences--exactly the kind of high-entropy, hard-to-guess passwords that information security professionals think ideal. People are even worse at remembering said passwords.

So the pragmatic balance is a middle ground--passwords that are strong enough to thwart hackers' brute-force attacks and guessing algorithms, but easy enough that when someone is presented with a sign-in prompt, they're not stumped, frustrated, and ready to reset all their pass codes back to something like goofydog that easily lets hackers break into their account.

One good solution is using a password generator, such as PasswordMaker. Give it a Web site's URL, as well as a master password; it hands back a strong password such as Ga9i)t|Z that's unique to that site. A hundred different Web sites? No problem! A hundred different passwords, each of them very strong, yet the user has to remember just one (or for the very paranoid, a few) master passwords. For those using Firefox, there's even a plug-in; give it your master password once (per browsing session), and a single keypress automatically fills in the correct strong password whenever it's needed. It's not quite smart card or SecurID strong, but it's plenty strong for most uses, yet easy.

Sites that restrict the characters that can be used in passwords--they are the monkey wrench in this machine, the fly in this ointment. They don't accept the strongest of passwords, thus thwarting users' attempts to pragmatically balance password strength and ease by using password generators. This just encourages users to fall back to easy-to-remember, easy-to-hack passwords. Sigh. Sites that restrict password characters? You are doing it wrong.

While we're waiting for the laggard site operators to get passwords right, there is a good fallback: mnemonic abbreviations. Take a phrase you can easily remember, and turn it into an acronym. For example, "Coffee is my favorite beverage on Planet Earth" might become CimfboPE. You can spruce this up a little further, if you like, by doing letter-number substitution (e.g. 0 for o, 1 for i, 3 for e, and so on,). Hackers probably aren't going to guess C1mfb0PE any time soon, yet it's surprisingly easy to recall when it's needed. Farhad Manjoo's article "Fix your terrible, insecure passwords in five minutes" explains this technique well. For some, mnemonic abbreviations are a fallback; for others, they may be strong enough to use for all passwords. After all, anything's better than goofydog.