Security

You wouldn't necessarily expect it, but Avast and Google Chrome might be the next peanut butter-and-jelly combo in the software world. Google's nascent browser has paired with one of the most popular free security programs in the world so that when users run the Avast installer on a computer that has neither Chrome nor Avast, they'll be offered a chance to install Chrome simultaneously. This is the first such bundling for Avast in its 21-year existence.

The Chrome installation window in the Avast installer is cleverly polite.

(Credit: Screenshot by Seth Rosenblatt/CNET)

The Chrome option in the Avast installer does two things differently from the more familiar opt-out user experience that many programs provide in an installer in exchange for financial sponsorship. For one thing, the Chrome window only turns up if you don't already have it installed, but more importantly, it forces users to actively choose installation. Neither the "yes, install" nor the "no, don't install" radio buttons are checked by default. Of course, users are forced to check off "no" if they don't want it, but this should dramatically cut down on the incidence of accidental installations that tend to plague otherwise-similar piggybacking installs.

The Avast/Chrome combo may strike some as an odd couple, or at least more beneficial for Avast than for Chrome, but keep in mind that Avast has more than double the users that Chrome does. Google's Vice President of Product Management Sundar Pichai said Chrome had more than 40 million users at the Chrome OS press conference at the end of October, and the end of November saw NetApplications peg Chrome at 3.93 percent of the browser market, a 0.35 percentage point increase. Meanwhile, on Avast's Web site, the Czech Republic-based security vendor is preparing to fly its 100 millionth user to Prague on an expenses-paid trip.

A Google spokesman indicated that other deals might be in the works. "Users' response to Google Chrome has been outstanding, and we're continuing to explore ways to make Chrome accessible to even more people. This could potentially include distribution via a number of channels, such as the distribution we are currently doing with Avast."

CNET News staff writer Stephen Shankland contributed to this report.

An Avast virus definition file update late Wednesday accidentally marked hundreds of legitimate files as threats. The Czech Republic-based publisher Alwil responded quickly, issuing a fix less than six hours later, but some users are still dealing with the aftermath.

Restoring files improperly flagged as threats worked fine on my work computer, but not at home.

(Credit: Screenshot by Seth Rosenblatt/CNET)

Going through Avast's forums, the Avast-written guide for rescuing files falsely marked as threats should be quite simple. Force an Avast update, then from the main interface go to Menu, then Virus Chest. Right-click on the file in the chest you want to resuscitate, choose Scan to double-check that it's not a threat, then right-click on it again and choose Restore. Avast cautions that if that fails, you can choose Extract to put the file back where it came from.

For some instances of the Avast 5 beta and Avast 4.8, this doesn't work. The best solution I've found is the most annoying: run the installation file again. This certainly takes longer, but right now I've been unable to find any other solution that can be applied across the board. The one saving grace about reinstalling is that, at least for the files on my home computer that were affected, I didn't need to reconfigure any of the settings. The KMPlayer, IOBit Smart Defrag, and Find and Run Robot all retained their previous DLLs and other settings.

Keep in mind that this isn't the first over-eager definition file update. Two of the more recent ones include an incident from July that saw an update from Computer Associates flag a Windows XP system file as a virus, and last year AVG falsely identified a file from security provider ZoneAlarm as a virus.

If you're continuing to have problems from the Avast update, let us know in the comments below.

(Credit: Echometrix)

The Department of Defense has pulled a parental control product from its online store serving military families after learning that the company collects childrens' data, according to documents the Electronic Privacy Information Center (EPIC) obtained from the government agency.

EPIC has filed a complaint (PDF) with the Federal Trade Commission alleging that Echometrix, maker of FamilySafe parental control software, violates the Children's Online Privacy Protection Act by collecting personal information from children and disclosing it to third parties for market intelligence purposes. Echometrix denies the allegations.

After learning that the Defense Department's Army and Air Force Exchange Service (AAFES) Web site offers the Echometrix product for sale, EPIC filed a Freedom of Information Act request with the Defense Department.

The agency complied with the FOIA request. Among the documents provided to EPIC were e-mails between Echometrix and a manager at the AAFES Exchange Online Mall who wanted to know how customer information is collected and whether it is used for marketing purposes.

"During the installation process we fully disclose all of Family Safe's procedures and clearly display an opt-out button for all anonymous aggregate data sharing in our (EULA) End User License Agreement," an Echometrix e-mail explains.

"The collection of AAFES customer information (personal or otherwise) for any other purpose than to provide quality customer service is prohibited" by the agreement retailers sign to sell products through the AAFES site, the online mall manager writes in an e-mail. "Giving our customers the ability to opt out does not address this issue. [It] is prohibited in any case. Because of this, we must remove Sentry Parental Controls from the Exchange Online Mall."

Asked for comment, a Department of Defense spokeswoman said the Echometrix product was available on the online mall from September 25 until October 15. "To the best of our knowledge, no military personnel signed up for the service during the approximately three weeks it was available," Air Force Lt. Col. April D. Cuningham, the public affairs officer, wrote in an e-mail.

Echometrix collects information from children to help parents filter out Web sites, analyzes that information and then sells it to third-parties for market intelligence research, said Kimberly Nguyen, the EPIC lawyer who is handling the case.

The data includes personally identifiable information of children, including IM screen names which can be linked to e-mail addresses, she said.

"The collection of childrens' data raises serious privacy concerns, and even the Defense Department realizes that," Nguyen said in an interview.

Echometrix denied the allegations.

"Echometrix does not collect personally identifiable information or expose the source of any digital content. The company has never and will never collect, distribute or sell personal information as defined by COPPA (the Children's Online Privacy Protection Act)," the company said in a statement.

The FTC did not respond to an e-mail seeking comment.

Microsoft said on Thursday that it will offer six updates for 12 vulnerabilities next week including a critical hole in Internet Explorer that affects Windows 7 and other current versions of the operating system for which exploit code has been released.

Late last month, Microsoft said it was investigating an IE vulnerability after someone released proof-of-concept code affecting IE 6 and IE 7 that could be used to take control of computers.

Microsoft described the problem in an advisory issued November 23: "The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code."

Of the six updates Microsoft will release on Patch Tuesday, three of them are critical, according to a Microsoft security bulletin advance notification.

Software affected includes Windows 2000, Windows XP, Vista, Windows 7, Server 2003, Server 2008, Office XP, and Office 2003.

Google wants to speed up a key part of the Internet's inner workings called the Domain Name System and is inviting technically savvy folks to try their ideas out.

The DNS is a crucial part of the Internet. It converts the text addresses people can remember into the numeric Internet Protocol addresses actually used to locate information on the Internet. For example, CNET.com's IP address is 216.239.122.102.

When you visit a Web page, a DNS server that's part of a vast distributed network often must perform that conversion--called resolving a host--many times. With the Google Public DNS service, Google wants to be that server.

"Our research has shown that speed matters to Internet users, so over the past several months our engineers have been working to make improvements to our public DNS resolver to make users' Web-surfing experiences faster, safer, and more reliable," said product manager Prem Ramaswami in a blog post introducing the Google Public DNS service.

Google's search service already has made it central to the workings of the Internet. If its DNS service becomes popular, Google could become even more significant.

For those who want to give it a whirl, Google posted instructions on using the Google Public DNS service. For those worried about what traces your Web surfing will leave in Google's records, check the Google DNS privacy page.

... Read more

(Credit: Avast)

Czech Republic-based Avast issued an update late on Wednesday to its antivirus software that mistakenly flagged hundreds of innocent files as a Trojan. It fixed the situation five and a half hours later.

Falsely labeled as malware were programs from Adobe, Realtek, sound card drivers, and various media players, among others, according to a blog post on the Avast Support Center.

The errant update had been issued around 12:15 a.m. GMT. A new update was issued at 5:50 a.m. GMT that corrected the problem. Customers who did not use their computers between that time will most likely not be impacted, the company said.

The software was identifying the good files as the Win32:Delf-MZG Trojan, according to Avast.

Avast, based in Prague, did not respond to an e-mail late on Wednesday seeking comment.

False positives happen in the industry. In July, Computer Associates' antivirus software was falsely tagging a Windows XP system file as a virus, and last year AVG falsely identified a file from security provider ZoneAlarm as a virus.

For about the 4,000th time in the last five years, I tried to sign up for a new Web service, but it wouldn't accept my proposed password. Apparently, the site operators decided that passwords should contain only letters and numbers. Aarrrrgh! This isn't the first time I've seen this idiocy, and it won't be the last. But it should be.

Guidelines on how to construct a strong password almost uniformly recommend using a mixture of upper and lower case letters, numbers, and symbols. Tools for generating passwords (for example, strongpasswordgenerator.com) encourage the use of symbols. There's even a mathematical formula that precisely calibrates how much more unguessable symbols make a password. So why don't sites support symbols in passwords? It makes no sense.

The strongest case against limited-character passwords isn't technical. It's not about "information entropy." It's about human factors and behaviors. Human factors dominate the success (or failure) of all information systems, including password systems. Humans are lousy at choosing random or quasi-random sequences--exactly the kind of high-entropy, hard-to-guess passwords that information security professionals think ideal. People are even worse at remembering said passwords.

So the pragmatic balance is a middle ground--passwords that are strong enough to thwart hackers' brute-force attacks and guessing algorithms, but easy enough that when someone is presented with a sign-in prompt, they're not stumped, frustrated, and ready to reset all their pass codes back to something like goofydog that easily lets hackers break into their account.

One good solution is using a password generator, such as PasswordMaker. Give it a Web site's URL, as well as a master password; it hands back a strong password such as Ga9i)t|Z that's unique to that site. A hundred different Web sites? No problem! A hundred different passwords, each of them very strong, yet the user has to remember just one (or for the very paranoid, a few) master passwords. For those using Firefox, there's even a plug-in; give it your master password once (per browsing session), and a single keypress automatically fills in the correct strong password whenever it's needed. It's not quite smart card or SecurID strong, but it's plenty strong for most uses, yet easy.

Sites that restrict the characters that can be used in passwords--they are the monkey wrench in this machine, the fly in this ointment. They don't accept the strongest of passwords, thus thwarting users' attempts to pragmatically balance password strength and ease by using password generators. This just encourages users to fall back to easy-to-remember, easy-to-hack passwords. Sigh. Sites that restrict password characters? You are doing it wrong.

While we're waiting for the laggard site operators to get passwords right, there is a good fallback: mnemonic abbreviations. Take a phrase you can easily remember, and turn it into an acronym. For example, "Coffee is my favorite beverage on Planet Earth" might become CimfboPE. You can spruce this up a little further, if you like, by doing letter-number substitution (e.g. 0 for o, 1 for i, 3 for e, and so on,). Hackers probably aren't going to guess C1mfb0PE any time soon, yet it's surprisingly easy to recall when it's needed. Farhad Manjoo's article "Fix your terrible, insecure passwords in five minutes" explains this technique well. For some, mnemonic abbreviations are a fallback; for others, they may be strong enough to use for all passwords. After all, anything's better than goofydog.

Red means danger. And orange offers plenty of risk, too. (Click for a larger view of the map.)

(Credit: McAfee)

You may want to think twice if you hit a site with a .cm extension. That belongs to Cameroon, pegged by McAfee as the world's riskiest domain.

McAfee's third annual "Mapping the Mal Web" report, released Wednesday, looks at riskiest and safest domains across the globe. The small nation on the west coast of Africa reached the top spot this year with 36.7 percent of its sites posing a security risk. Because .cm is often a typo for .com, McAfee said, cybercrooks like to use that domain to set up typo-squatted sites to hit you with malware.

The generic and widely used .com domain itself isn't much safer, according to McAfee, jumping from ninth last year to second this year in riskiness, with 32.2 percent of its sites potentially hazardous to your PC's health.

(Credit: McAfee)

Romania (.ro) is tagged as the riskiest domain for malicious downloads, with 21 percent of its sites delivering payloads of viruses, spyware, and adware. The information (.info) domain is seen by McAfee as the most "spammy," with 17.2 percent of its sites generating junk mail.

On the positive side, the government (.gov) is the safest generic domain with essentially 0 percent risk, while Japan (.jp) proved the safest country domain with a rating of only 0.1 percent. Last year's riskiest domain, Hong Kong (.hk) dropped to 34th place with a risk rating of only 1.1 percent, which McAfee attributed to the country's aggressive steps to stop scam-related domain registrations.

(Credit: McAfee)

"This report underscores how quickly cybercriminals change tactics to lure in the most victims and avoid being caught. Last year, Hong Kong was the riskiest domain and this year it is dramatically safer," Mike Gallagher, chief technology officer for McAfee Labs, said in a statement. "Cybercriminals target regions where registering sites is cheap and convenient, and pose the least risk of being caught."

Overall, looking at 27 million Web sites and 104 top-level domains, McAfee found that 1.5 million sites, or 5.8 percent, were risky. That's up from 4.1 percent from the past two years, although the comparison is not direct since McAfee said it changed its rating methodology since then.

McAfee noted that cybercriminals who create domains to scam people prefer registrars with cheap prices, volume discounts, and hefty refund policies. Crooks also like registrars with a "no questions asked" policy and that act slowly or not at all when informed of malicious domains.

The Electronic Frontier Foundation sued the CIA, the U.S. Department of Defense, Department of Justice, and three other government agencies on Tuesday for allegedly refusing to release information about how they are using social networks in surveillance and investigations.

The nonprofit Internet rights watchdog group formally asked more than a dozen agencies or departments in early October to provide records about federal guidelines on the use of sites like Facebook, Twitter, and Flickr for investigative or data gathering purposes, according to the lawsuit.

The requests were prompted by published news reports about how authorities are using social networks to monitor citizen activities and aid in investigations. For example, according to the lawsuit, government officials have: used Facebook to hunt for fugitives and search for evidence of underage drinking; researched the activities of an activist on Facebook and LinkedIn; watched YouTube to identify riot suspects; searched the home of a social worker because of Twitter messages regarding police actions he sent during the G-20 summit; and used fake identities to trick Facebook users into accepting friend requests.

The EFF needs access to the information to "help inform Congress and the public about the effect of such uses and purposes on citizens' privacy rights and associated legal protections," the lawsuit said.

None of the agencies contacted had complied with the EFF's Freedom of Information Act (FOIA) requests and only one, the IRS, had asked for an extension, according to the suit.

The suit, filed in federal court in San Francisco, names the defendants as the CIA, the office of the Director of National Intelligence, and the departments of Defense, Justice, Homeland Security, and Treasury.

The FOIA requests and the lawsuit were filed on behalf of the EFF by the Samuelson Law, Technology, and Public Policy Clinic at the University of California at Berkeley School of Law.

Government surveillance of citizens, particularly in areas they consider private, should have oversight, said Shane Witnov, a law student who worked on the case for the Samuelson Clinic.

"Social-networking sites are becoming a part of the way we communicate every day and everyone thinks they are sharing information [on the sites] with just their friends," he said. "Governments are using the sites but not in the way [citizens] expect when they sign up."

The government agencies could not be reached for comment Tuesday afternoon.

Updated 4:55 p.m. PST with comment from Samuelson Clinic law student.