Social-networking sites like Facebook and Twitter can expect more attention from cybercriminals in 2010, according to a new report (PDF) released Tuesday by McAfee Labs. Also at risk are users of Adobe Systems products including Acrobat Reader and Flash. And move over Microsoft; the security firm predicts that Google's Chrome OS will "create another opportunity for malware writers to prey on users."
The company also anticipates smarter and more dangerous Trojans that "follow the money," as well as a "significant trend toward a more distributed and resilient botnet infrastructure that relies much more on peer-to-peer technologies."
In a recorded interview (scroll down for audio) David Marcus, McAfee Labs' director of security research and communications, said that he expects "an explosion of Facebook and other services targeted by cybercriminals." In addition to malware like Koobface that spreads among Facebook users' friends list, Marcus expects an increase in rogue Facebook applications.
"When you click yes to 'do you want to allow this application to access your Facebook account,' you're giving that application access to all the data in your Facebook account," he said. Facebook vets the third-party applications that it distributes, but rouge developers are finding other ways to get people to install unauthorized apps.
"A lot of the spammers and scammers will send fake Facebook application requests to users' inboxes," he said. Marcus recommends that you only install apps from within Facebook by clicking "browse more applications" in the Facebook application installer."
Twitter vulnerabilities
According to McAfee, Twitter is vulnerable mostly because of URL-shortening services like bit.ly and tinyurl.com. There's nothing wrong with Twitter or these services, but when you click on a shortened URL you have no idea where you're going until after you get there. I would like to see a URL-shortening service that vets each URL for security and rejects those that are potentially dangerous. Twitter, according to the McAfee report is "also serving as a control vehicle for botnets."
Criminals are now being more surgical in their attacks, singling out individuals and corporations as targets. The report points to the 10-month investigation of "GhostNet," which McAfee Labs describes as a "network of at least 1,295 compromised computers in 103 countries" that "primarily belonged to government, aid groups, and activists." The malicious code was delivered by e-mail with subject headings related to the Dali Lama and Tibet, according to the report.
The report also sites "a very targeted wave of attacks against the management of major companies," as well as attacks carried out against "journalists from various media organizations, including Agence France Press, Dow Jose and Reuters based in China."
Adobe products and Google Chrome vulnerable
Adobe products, especially its Acrobat Reader and Flash, are likely to replace Microsoft Office as the No. 1 software target, according to McAfee. It's nothing they've (Adobe) done wrong," Marcus said. "The bad guys go where the masses go" and because of the increasingly widespread use of Adobe products, "that tends to be what the bad buys will start looking to exploit. It really is nothing more sophisticated than that."
Criminals are infecting PDF files and leveraging exploits in the opening of PDF documents, according to Marcus.
"Instead of viewing a PDF you're actually taken to a website that downloads some type of malware to your machine." Adobe plans to patch a critical hole in Reader and Acrobat on January 12.
There is also concern about Google's Chrome operating system, which is expected to be officially released in 2010. Chrome, which will run Web-based applications, is likely to be vulnerable to attacks in HTML 5--the newest version of the hyper-text markup language that, says the report, "holds all the promises that today's Web community seeks--primarily blurring and removing the lines between a Web application and a desktop application."
McAfee also warned of banking Trojans with "new tactics that went well beyond the rather simple keylogging-with-screenshots" that were used earlier. Trojans now use rootkit techniques to hide on a victim's system to disable antivirus software.
"Often the victim's computer becomes part of a botnet and receives malware configuration updates," the report said.
For more on the threats on Facebook and Twitter read "Using Facebook and Twitter safely" on CNET.
Cause for optimism
The report did end with some optimism, calling 2009 a good year for law enforcement. In November 2009, the U.S. Department of Justice indicted nine individuals "from Russia, Moldova, and Estonia who were allegedly responsible
for $9 million in customer payroll data compromises at RBS WorldPay."
The year also "saw the conviction of the infamous "Godfather of Spam," Alan Ralsky of Michigan, and his criminal syndicate, which was responsible for generating a significant portion of the world's unsolicited e-mail," McAfee said.
"You started to see that not a lot of resiliency was built into some of those botnets, they were taken down, and poof they disappeared for very long periods of time," Marcus said. He said he thinks "the bad guys will learn from that and build in some redundancy," but he remains optimistic. "The good guys and regular users are getting tired of getting exploited and we're finally starting to see more offensive and aggressive take downs of botnets...we're starting to see people wanting to take back the Internet."
Listen to Larry's interview with David Marcus.
Listen now: Download today's podcast
Facebook last Wednesday announced new privacy settings that give users some additional control over what information they share, while taking away the ability to hide a few pieces of information from the general public.
One particular piece of publicly available information--users' friends lists--caused a bit of an uproar from a number of sectors, including business people who don't necessarily want to expose their professional networks to the public and their competitors. It is also a concern to some parents who might not want their kids--or a list of their kids' friends--to be widely available.
Facebook quickly backtracked. A day later, the company announced on its blog that users can now uncheck the "Show my friends on my profile" option in the Friends box on their profile so that your friend list won't appear on your publicly viewable profile.
Unfortunately, they weren't very clear on exactly how you make the change. ... Read more
Sites owned by Yahoo, AOL, and Google have joined Facebook and MySpace in expelling New York sex offenders from their rolls.
New York Attorney General Andrew Cuomo announced Thursday that Google's Orkut.com, AOL's Bebo.com, and Yahoo's Flickr.com are among 13 additional social-networking sites to use sex offender data available through New York's Electronic Securing and Targeting of Online Predators Act (E-Stop) to find and disable accounts associated with registered sex offenders.
Other companies that have agreed to cooperate include BlackPlanet.com, Classmates.com, Flixster.com, Fotolog.com, hi5.com, MyLife.com, Stickam.com, and Tagged.com.
New York Attorney General Andrew Cuomo
(Credit: NY Attorney General's Office)There are still some holdouts. Cuomo called on other sites, including Friendster.com, Buzznet.com, eSpin.com, Habbo.com, and LiveJournal.com, "to commit to using the list." He urged parents and children to consider not using sites that haven't complied.
On December 1, Facebook and MySpace deleted the accounts of more than 3,500 sex offenders based on the New York law.
By comparing this data with their own user roles, Facebook was able to identify and delete 2,782 registered sex offenders. MySpace deleted 1,796 accounts.
In addition to deleting the accounts of any known registered sex offenders, the companies will turn over information about the accounts to law enforcement officials.
In a statement, Cuomo said: "It is no secret that sexual predators abuse social networking websites to find and manipulate victims and to insinuate themselves into their victims' lives."
The E-Stop law, which was passed in 2008, requires registered sex offenders from New York to disclose their online identities to officials. Information must include e-mail addresses, instant-messaging screen names and social-networking account names. The law also requires the state's Division of Criminal Justice Services to release state sex offender Internet identifiers to social-networking sites and other online services so that they can prescreen or remove individuals who match the list. It also imposes restrictions on sex offender's use of the Internet if the victim was a minor and if the Internet was used to commit the crime. Restrictions include banning the offender from social-networking sites, as well as prohibiting access to online pornography or communicating with anyone with the intention of promoting sexual relations with a minor.
Cuomo is one of several state attorneys general who have expressed concerns about the danger of Internet predators. In 2008, Cuomo and 48 other attorneys general entered into an agreement with MySpace that resulted in the Internet Safety Technical Task Force, whose report concluded that the actual threat of predators is less than many had feared and that kids are far more likely to be harmed by bullying and harassment from other youth. I served on that task force as a representative of ConnectSafley.org, a nonprofit Internet safety organization I help operate.
Facebook users are about to see an unfamiliar screen when they sign on to the service--a request to configure their privacy preferences. But it's not really a request. It's a requirement.
"As far as we know, it's the first time in the history of the Internet," said Facebook spokesman Simon Axten, "that so many people have been required to make affirmative decisions about their privacy."
The company on Wednesday provided details of the changes that CEO Mark Zuckerberg blogged about last week. These include eliminating regional networks and giving users more granular control over who can see individual pieces of content while making some basic profile information available to everyone. Also, Facebook is simplifying what this blogger and others have criticized as overly complex privacy controls, but it is also requiring members to make some information available to the public.
All Facebook users will be asked to configure privacy settings
(Credit: Facebook)
Controversial privacy history
Over the years, Facebook has been the subject of criticism, lawsuits, and threatened federal action over various changes to its privacy policy.
In 2007, Facebook announced its Beacon advertising service, which broadcast member activity on partner sites to their Facebook friends. If you bought a movie ticket on Fandango, for example, all of your Facebook friends would immediately know about it. The Beacon program unleashed a campaign from consumer advocacy groups including MoveOn.org as well as a class action law suit that was settled this September. As part of that settlement, Facebook agreed to shut down Beacon and to donate $9.5 million to an independent foundation to "fund projects and initiatives that promote the cause of online privacy, safety, and security."
In February of this year, Facebook found itself at the center of another privacy storm after it announced a change in its policy that would give the company seemingly perpetual control over user-supplied content. That prompted the Electronic Privacy Information Center to threaten filing a complaint with the Federal Trade Commission and also led to the formation of a Facebook group called People Against the new Terms of Service that attracted nearly 150,000 members protesting the changes. The uproar caused the company to rescind those changes and resulted in CEO Mark Zuckerberg holding a press conference where he announced that the company would create "a new approach to site governance" so that its decisionmaking would be more transparent.
Mandatory privacy settings
All users will soon be confronted with a "privacy announcement" informing them that they must configure their settings. Initially, you will be able to "skip for now" but you will later be required to go through the steps in order to continue using the service, according to Axten.
To encourage people to share information, Facebook has set the default to "everyone," but you can later go back to set more restrictive settings. You can also keep your old settings. If you're not sure what they are, you can display them by hovering over the radio button.
New Facebook privacy setting page
(Credit: Facebook)In the final step, Facebook displays your settings and gives you a chance to change them. At this point or at any time in the future you will be able to adjust any of your settings
Final stage verifies new settings.
(Credit: Facebook)The Facebook settings will be based on four basic levels: friends, friends of friends, everyone, and customize. If you belong to a network, you will also have the setting friends and networks. As before, you will also be able to customize settings to include or exclude specific friends or groups of friends.
Some information must be publicly available
Some information--including name, profile picture, gender, current city, networks you belong to, friend lists, and pages you're a fan of--will be available to everyone. The only way to keep that information from the general public is to not include it as part of your Facebook profile. Users also have the ability to limit what can be found via a search on Facebook and what information Facebook will make available to search engines like Google and Bing.
According to Axten, that information is being made publicly available to make it easier to find people using Facebook search, especially people with common names. If you locate a "John Smith" in a Facebook search, seeing his picture and knowing where he lives can make it easier to pinpoint the right person. Though not mandatory, Facebook, according to a spokesperson, is encouraging people to make other information public such as where they went to school or where they work. However Axten added that if a user had previously configured their privacy settings, they should keep what they already have.
While adults have the option of making content available to everyone, the maximum exposure available to users under 18 will be friends of friends or school networks.
Control over who gets to see your posts
The most important change is that you will now be able to specify who can see each piece of your content including status updates, photos, and videos. Each time you add content, you'll be able to determine whether it can be seen by everyone, friends and network, friends of friends, only friends, or a custom setting. Customized settings allow you to include or exclude individual people or lists of people. For example, one could share last night's exploits with his fraternity brothers but not with his fellow church members or office mates. The list feature, which has long been available, allows you to divide your friends into groups. For example, as a journalist, I encourage readers to "friend" me at Facebook.com/larrymagid, but I also maintain a list of "real world friends."
Third-party application settings
As in the past, you will have some control over the information that can be seen by operators of third-party Facebook applications. Facebook has added the ability to fully block an application from accessing any information but, in most cases, that will disable the application.
Facebook's Axten said that application developers will have access to all publicly available information, but can only access other information with the user's permission. Applications are also required to only access user information that is essential for them to run. The company, said Axten, has an enforcement squad to ensure compliance.
Facebook is also launching a new Privacy Center that will offer "a comprehensive guide that helps users understand and control how they share information."
Disclosure: Facebook is one of several companies that provides support to ConnectSafely.org, a nonprofit Internet safety organization I help run.
Cell phones and the Internet are great ways for romantic partners to stay in touch, but based on a recent survey of 14- to 24-year-olds, they're also being used to spy and harass significant others.
My report on the Associated Press and MTV study about youth digital abuse focused mostly on sexting and how youth respond to cyberbullying. But there was also some interesting data on how technology is being used for "dating abuse."
One of the findings of an MTV/AP youth survey
(Credit: AThinLine.org)The study (PDF) found that 22 percent of youth involved in a romantic relationship say they feel like their significant other uses a cell phone or goes online to check up on them too often. The study also found that "more than 1 in 4 say their boyfriend or girlfriend has checked the text messages on their phone without permission," and more than 10 percent of the young people said that a boyfriend or girlfriend has demanded that they give them their password.
Whether by coercion or not, 26 percent said they had shared an online password with someone. Females (31 percent) are more likely to share passwords than males (22 percent). And though there isn't necessarily a causal relationship, 68 percent of those who have shared passwords report having been a target of digital abuse compared with 44 percent of those who hadn't.
Not surprisingly, a significant minority of the youth (12 percent) said that a boyfriend or girlfriend call them names, put them down, or say really mean things to them on the Internet or cell phone.
And about 1 in 10 said that a significant other demanded that they unfriend a former boyfriend or girlfriend on social networks.
The survey, conducted for The Associated Press and MTV by Knowledge Networks interviewed 1,247 people between the ages 14 and 24 in what was described as a nationally representative survey.
Teen dating violence subject of CBS Evening News report
(Credit: CBS Evening News (via CBSNews.com))This data comes just as there is increased attention on teen dating abuse. CBS Evening News anchor Katie Couric reported last week that 29 percent of America's teens "say that they were emotionally, sexually or physical abused by their boyfriends and sometimes even girlfriends last year." Though technology doesn't cause nor necessarily play a role in teen dating violence, it clearly can amplify the problem, especially if a partner in the relationship is using a cell phone or computer to harass, stalk or spy on their partner as the AP/MTV survey has shown. Technology can also be used by partners to embarrass their significant others by making it possible for partner to details or their relationship online. One of the biggest downsides to "sexting" is the possibility of a partner sharing those images with others.
Marriage and family therapist Marty Klein is less concerned about kids sharing intimate photos with their partners than he about how some are misusing those images. "Take the sex out of sexting and what you have is a betrayal of trust," Klein said. The Internet, he added, "more clearly and sometimes more dramatically focuses our attention on problems that people have struggled with forever." In other words, the Internet and mobile technology don't cause these problems (that exist in offline relationships) but they can amplify them.
Couric also reported that calls and online chat to the National Teen Dating Abuse Helpline went up nearly 600 percent from March 2007 to March 2009. The Helpline's Web site has advice for teens including a section on helping to determine if you're being abused.
In conjunction with the release of the digital abuse survey, MTV launched A Thin Line, a Web site that provides resources to help youth deal with sexting, constant messaging, spying, digital disrespect, and cruelty.
A study conducted by the Associated Press and MTV pretty much confirms what many Internet safety experts have been saying for the past several months: Young people are far more likely to experience problems online from their peers or from their own indiscretions than from adult predators.
But that's hardly to say that there's no need for concern. The AP/MTV study (PDF), released Thursday, found that 50 percent of 14- to 24-year-olds have experienced some type of digital abuse.
MTV launches "A Thin Line" initiative to empower youth to stop digital abuse
The study also found that 30 percent had either sent or received nude photos on their cell phones or online, a practice known as "sexting." Just 10 percent had actually sent such messages, which is in line with a previous study done by Cox Communications.
The AP/MTV study interviewed 1,247 teens and young adults in what the authors call an "online panel that is representative of the entire U.S. population." Respondents were recruited from KnowledgePanel. Details about the study and a campaign to empower youth to stop digital abuse are available at AThinLine.org.
The study's definition of digital abuse includes writing something online that wasn't true, sharing information that a person didn't want shared, writing something mean, spreading false rumors, threatening physical harm, impersonation, spying, posting embarrassing photos or video, being pressured to send naked photos, being teased, and encouraging people to hurt themselves.
As have previous studies, this one points to the need for educating young people on how to empower and protect themselves. While parental and educator involvement is crucial, young people themselves need to embrace and "own" digital safety messages--taught not as "Internet safety" lessons but as part of a larger worldview on how to thrive in the digital age. (For more on this, see Online Safety 3.0: Protecting & Empowering Youth from ConnectSafely.org, a nonprofit group I help run.)
Bullies and passwords
More than two-thirds (69 percent) of the respondents said that digital abuse is a serious problem for people their age, but only half (51 percent) said that they had thought that "things they post online could come back to hurt them later." Only 25 percent said that they considered the possibility that they could get into legal trouble. Some prosecutors have charged teens with violating child pornography laws for taking, possessing or distributing child pornography.
There was some good news on the cyberbullying front. The AP/MTV study reported that 78 percent of the respondents said that "it is always okay to report it when someone harms another person physically," and 55 percent said that "if they witness someone being picked on by a group of people, it is always okay to report it to an authority." Sixty-two percent said they are likely to ask the bully to stop if they themselves are victims of abuse or harassment, and 59 percent said they would ask a friend for help.
The sharing of passwords can lead to someone being impersonated or having their online identity stolen, yet 26 percent of the study's respondents admit that they have shared passwords online. Girls (31 percent) are more likely to share passwords than boys (22 percent). The study found that youth who shared passwords were more likely (68 percent) to be victims of digital abuse than those who didn't (44 percent).
Showing off via sexting
Females are slightly more likely to share a naked photo of themselves (13 percent) than males (9 percent), while youth who are sexually active are more than twice as likely to send such photos as those who aren't (17 percent versus 8 percent). Perhaps more disturbing is the finding that 17 percent say they've passed the image to someone else, and just over 9 percent have distributed the images to more than one person. Remarkably, 29 percent of respondents who shared a naked photo of themselves report that they shared the image with someone whom they had never met in person and knew only online. That represents about 3 percent of the total sample.
The study reported that "61% of those who have sent a naked photo or video of themselves have been pressured by someone else to do so at least once," but it's not clear from the study how many of these young people actually sent photos to people who pressured them.
Reasons for sending "sexts" include "the assumption that others would want to see them (52%), a desire to show off (35%), and boredom (26%)." The study also found that about 30 percent of teens have shared sexts as a joke or to be funny.
Online risk mirrors offline risk
The study didn't conclude that there was any causality between online and offline risk activities, but like previous studies, it did find some significant correlations.
Youth who have been the target of digital bullying were twice as likely (13 percent versus 6 percent) to report having received treatment from a mental health professional and are more than twice as likely to have considered dropping out of school (11 percent versus 4 percent).
Those who reported smoking a cigarette, drinking alcohol, using illegal drugs, or stealing/shoplifting in the past seven days were more likely to have been the target of digital abuse (60 percent versus 48 percent). Sexually active youth were also more likely to have been victims (62 percent of those who have had sex in the last seven days have been targets, compared with 49 percent of those who hadn't had sex).
This data is consistent with a 2007 report (PDF) from the Crimes Against Children Research Center, which found that youth who engage in "aggressive behavior in the form of making rude or nasty comments were 2.3 times more likely to suffer from interpersonal victimization. Those engaged in "frequently embarrassing others" were 4.6 times more likely to be victimized.
A version of this post also appears on CNET's sister site CBSNews.com.
New York Attorney General Andrew Cuomo announced Tuesday that more than 3,500 sex offenders from his state have been purged from Facebook and MySpace.
Both companies have long had policies against registered sex offenders using their services, but the implementation of New York's new Electronic Securing and Targeting of Online Predators Act ("E-Stop") has made it easier for the sites to identify perpetrators from the Empire State.
Facebook, according to Cuomo, was able to identify and disable the accounts of 2,782 registered sex offenders. MySpace deleted 1,796 accounts.
Cuomo has long been concerned about predators on social-networking sites. In January 2008, New York was one of 49 states that entered into an agreement with MySpace that resulted in a set of principles to combat harmful material on MySpace and other sites. In October 2007, Cuomo's office said Facebook could face a consumer fraud charge for misrepresenting the site's safety for minors, but two weeks later Cuomo and Facebook Chief Privacy Officer Chris Kelly held a joint press conference to announce a "cooperative effort."
The E-Stop law bans many registered offenders from using social-networking sites while on parole or probation and requires all registered offenders to disclose their e-mail addresses, screen names, and "other Internet identifiers." That data is provided to social-networking sites to run against their roles.
The state of New York, according to Facebook spokesman Barry Schnitt, "built its database with the idea of social-networking companies running it against their user base." He said the way it was coded, made it a lot easier to find matches. Other states, said Schnitt, "sometimes just fax over a list. Their databases are designed to help people find out if there is a sex offender living on their street. This is a very different use case."
Sex offender data is collected by states and there is no currently official federal database. The federal Adam Walsh act calls for such a database but it hasn't been funded. In 2006, MySpace contracted with Sentinel Safe to build a national and searchable registered sex offender database.
While praising Facebook and MySpace's cooperation, Cuomo said that "many other social-networking sites remain slow at adopting available new protections against sexual predators online." He said his office "sent letters urging them to take action now to similarly purge sex offenders from their sites."
As always, it's important to put this news into perspective. It only involves registered sex offenders, which, of course, is a good start, but it only includes people who have been caught and convicted. And, while the companies do their best to ferret out registered offenders who try to hide their identity, there is no way to know how many people succeed in eluding them.
Also, we know of very few children who have been sexually molested by someone they met on social-networking sites or any Internet sites. The vast majority of child sex abuse victims know the offender from the real world. I'm not aware of any cases of a pre-pubescent child being harmed by someone he or she met online and it's even rare among teens.
And, based on conversations with security officials at social-networking companies, I am not aware of any cases where a registered sex offender has been convicted of using the site to aid in harming a child he or she met on that site.
"There are still zero cases reported of any registered sex offender who was booted off MySpace being prosecuted for illegal contact occurring on MySpace," said Hemanshu Nigam, chief security officer for MySpace parent company News Corp.
In January, the Harvard Law Berkman Center's Internet Safety Technical Task Force issued a report that children and teens are less vulnerable to sexual predators than many had feared, though that report was initially met with some skepticism from some attorneys general.
Shopping online does carry some risk, but so does shopping at brick-and-mortar stores. At least online shoppers don't need to worry about fender-benders in the parking lot, pick pockets at the mall, or getting the flu from all those fellow shoppers.
But the nice thing about shopping online is that by following some basic guidelines you can be reasonably sure you'll have a safe experience.
Secure your PC: The first thing you need to do is be sure your computer is secure. Trend Micro's education director David Perry, says that "bad guys these days are operating by planting a keylogger on your system that listens in, surreptitiously waiting for you to use your credit card or your bank password so that they can steal your money." So, even if you're dealing with a legitimate merchant, you're at risk if your computer is infected. Your best protection from these attacks is to keep your operating system and browsers updated and use a good and up-to-date security program. If you're getting or giving a Netbook or other PC for the holidays, make sure that security software is installed right away. Most security companies offer a free-trial version that will tide you over for a month or so, but be sure to subscribe so you get ongoing protection.
Click with care: You're going to be getting a lot of offers via e-mail this holiday season. While they might be legitimate, there is the possibility of some offers coming from criminals trying to trick you into giving your password to a rogue site or visiting a site that can put malicious software on your computer. Your best protection is to not click on any links--even if the message looks legitimate--but to type in the merchant's URL manually.
Know the merchant: : If you're not familiar with the merchant, do a little research like typing its name (and perhaps the word "scam") into a search engine to see if there are any reports of scams. Look for user reviews on sites like Eopinions.com. Look for seller ratings if you locate the merchant through a shopping search engine like Google Shopping . Google doesn't certify the integrity of the sites that come up in its searches, but if you see lots of seller ratings that are mostly positive, that's a pretty good sign. You're generally pretty safe with sellers that are affiliated with shopping aggregators like Amazon.com, Yahoo Shopping, Retrevo or BizRate. Microsoft's new Bing search engine offers a cash-back program with affiliated merchants.
Look for trust seals, but verify they're legitimate
(Credit: BBBOnline)It's a good idea to look for seals of approval from Truste or Better Business Bureau Online, but remember that a seal is only a graphic. It can be counterfeit. To be sure, visit the certifying agency's site to look up the merchant.
When you're about to enter your credit card, make sure you're on a "secure "site. The URL should have an https at the beginning (s for "security") and there should be a small gold lock in the lower right corner of the browser. This isn't an iron-clad guarantee, but still worth looking for.
If you're still not sure, look for a phone number and call them. Aside from eliminating the chance of a keylogger grabbing your information, you may get a little more assurance talking to a human being.
Pay by credit card: Credit cards offer you an extra level of protection including the right to "charge back" if you feel you're a victim of fraud. The credit company will investigate your claim and permanently remove the charge if fraud can be proven.
Also some credit card companies offer extra protections including extended warranties and protection against loss or theft. Federal law limits your liability for misuse of a credit card to $50 but many credit card companies will waive that limit. Unless you're very sure about the merchant, don't provide them with a checking account number and never disclose your social security number to online merchants.
It's also a good idea to check your online credit card statement frequently. Most credit card companies will display recent charges online within a few days of the actual transaction. While you're on your credit card company's site, check your interest rate. Credit card companies have been known to "adjust" rates (usually upward) for a variety of reasons.
Know the real price: Be sure you understand the actual cost of the item, including shipping, handling, and sales tax. That can have an enormous impact on the final price. Many merchants are offering free shipping during the holidays and some merchants that have both online physical stores will let you pick up the item in the store for free. In most states if you do business with a merchant that has a physical presence in your state, the merchant is required to collect state sales taxes. Although it's tough to enforce, some states expect you to self-report all of your online purchases and pay sales taxes when you file your state income tax return.
Happy returns: Be sure you understand the merchant's return policies including the deadline for returns and what documentation you'll need. In most cases, they won't refund the shipping charges and you'll have to pay to ship it back. Always keep your packing until you're sure you're not going to return it.
Read the privacy policy: The policy, according to the American Bar Association's Safeshopping.org, should disclose "what information the seller is gathering about you, how the seller will use this information; and whether and how you can "opt out" of these practices."
Enjoy the holidays: By paying attention to these tips, the odds of your being victimized by online fraud are pretty low --another good reason to be cheerful during the holiday season.
Google's new SafeSearch page
(Credit: Google)Google has long allowed parents a SafeSearch filtering setting that keeps kids from using the search engine to find inappropriate sites like those with explicit sexual images or text.
The problem was that kids could easily change those settings.
Starting Wednesday, however, the company is allowing parents to lock those settings to make it harder (though not impossible) for kids to bypass the settings.
To change the settings, the parent will have to log into his or her Google account and enter a password. Once the settings have been changed, the Google search engine will change in appearance to indicate that it's locked. The new page will have large balls in the upper right corner so that parents can see from across the room that their kids are on the safe search page.
The settings, which places a cookie on the machine, must be configured for each browser the child uses. If you set them only for Internet Explorer, for example, they won't restrict access from Firefox, Chrome, or other browsers. Also, according to a Google representative, the child can get around the settings by using the private browsing feature that is now built into the latest versions of Firefox, Internet Explorer, and Chrome. So, while this will keep kids from accidentally using Google for inappropriate searches, it will not deter tech-savvy kids who are determined to bypass the filters.
As I've said in other posts, filters are never a foolproof way to keep "tweens" and teenagers from inappropriate content. There are always ways to get around them, including using a different machine or mobile phone. Filters are effective for keeping young children from stumbling onto disturbing Web sites and they can be a deterrent to somewhat older kids who might have a momentary or casual interest in looking at material that their parents wish to block.
With all filters and controls, it's important for parents to think about how you use them to help teach your child to exercise self-control and critical thinking so that, eventually, they can safely use the Web without filters or adult supervision. Also, for very young children, say 5 and under, its remains a good idea to be with the child while he or she is online. Tools like Google's SafeSearch are helpful, but they are no substitute for close parental supervision, especially with young children.
Listen to Larry's interview about Google SafeSearch with Google's Scott Rubin
A story recently surfaced saying malware could plant child porn on innocent people's computers without their knowledge. Just how real is this threat? And how can you keep it from happening to you?
Being accused of possessing child pornography can ruin people's reputations, confront them with overwhelming legal bills and, if convicted, and deprive them of their freedom for years if sentenced to prison time, and perhaps for life, if they're required to register as sex offenders.
That is why, at least in part, a recent case outlined by the Associated Press raised concerns over computer viruses being used to plant child pornography on people's computers. But the innocent have little to fear, according to experts.
The AP story reported about the case of Michael Fiola, a former Massachusetts state employee whose state-owned work computer was found to contain illegal child pornography images. He was fired and charged with possession of child pornography which, had he been convicted, could have landed him in prison for up to five years, according to the AP.
Sexually explicit images of children--who are often being exploited--are not protected by the First Amendment because they may memorialize, celebrate, or encourage sexual crimes against children deemed defenseless victims. Although Fiola avoided a child porn conviction, he reportedly has suffered related indignities, including death threats and friend abandonment. The AP said he and his wife liquidated their savings and spent $250,000 on legal fees.
Ultimately, charges were dropped after Fiola's defense showed that his computer was infected by a virus that was "programmed to visit as many as 40 child porn sites per minute," something that a human couldn't do, even if he or she tried. Other reports about this case indicate that the antivirus software on Fiola's computer was out of date and therefore was not protecting him against malware.
Could it happen to you?
How likely is a case like Fiola's? If viruses are capable of putting illegal content on people's computers, aren't we all at risk of being arrested for serious crimes we never meant to commit? And if it is possible for this to happen, isn't "the virus did it" claim likely to become the mantra of every defense attorney who represents people accused of possessing child pornography?
To help answer these questions, I spoke with security experts, legal scholars, former prosecutors, and Justice Department officials. The consensus? It is indeed possible for malicious software to plant child pornography--or any other type of file, for that matter--on an innocent person's computer, but being possible doesn't mean it's likely. And forensics experts can detect intention.
"It's quite possible for a malware creator to include child pornography as part of the payload on an infected computer," according to Symantec spokeswoman Marian Merritt, but "such payloads are not typical."
Most malware authors, Merritt said, "are motivated by money, and there's no clear indication as to how planting child porn on an unsuspecting person's computer would help generate money for criminals."
One possible motive for remotely using someone else's computer to store child porn is to make it possible to access the contraband without running the risk of it showing up if your PC is seized or searched. Merritt worries that "this could become a possible use for malware, going forward," but Michael Geraghty, executive director of the National Center for Missing & Exploited Children Technology Services Division, said that, while possible, it's not an effective way to store child porn and remain undetected.
"If you put the images on someone else's computer, you might not be able to retrieve them when you want them," Geraghty said. He pointed out that the zombie machine storing the data would have to be turned on and connected for the malware sender to access it. If it weren't online, or the files had been deleted, the files wouldn't be there to retrieve.
Another deterrent, of course, is a potential digital trail between your computer and the one you're using to store it. Although there are ways to evade detection, forensic investigators do have ways to trace Internet Protocol addresses to catch people in the act of uploading and downloading material.
"I've never seen it where child porn was intentionally placed on someone's computer because of a virus," Geraghty said. He has, however, seen cases where "someone was redirected to a site where it could have entered the cache." If someone were to go to a legal adult porn site, it's possible that the browser would "open 100 different windows," including some that could contain child porn. "As a result of that, any images on any of these sites would be cached, and there would be a record that you had been there."
But Geraghty said investigators can tell the difference between someone who deliberately downloaded such images and someone who may have inadvertently downloaded perhaps thousands of images because of a virus or misdirected Web site.
Totality of evidence
"A good forensics expert would try to determine how (the images) got on the computer and who was responsible for putting them there," he said. "That would be determined by looking at the totality of the evidence, not just the fact that there were images there."
Things a good investigator would look into include whether the suspect was sitting at the computer at the time the images were downloaded. Was he using the computer to send e-mail or visit other Web sites at the time? "There is always some type of trail we can follow to determine if the person were likely actively involved in the process of downloading the material," Geraghty said.
Another indicator is the time lapse between image downloads. A virus or Trojan horse is likely to download multiple images at a time, sometimes faster than might be humanly possible to do manually. A person who collects child pornography typically acquires it over a period of time, and a forensic investigation of the computer should reveal that.
Phil Malone, a clinical professor at Harvard Law School and director of its Berkman Center Cyberlaw Clinic, agrees that a good forensic investigator should be able to tell the difference between files placed by a virus and ones deliberately downloaded.
"It's the excuse of the moment for defendants," he said. "Lots of child porn defendants try to blame (images found on their computers) on viruses, but it's almost never true. You can actually figure this out. In the handful of cases that have been problematic, it looks as if everyone moved too quickly. The agency discovered material and immediately jumped to conclusions." Malone added that "good, solid forensics would be able to tell in virtually every case."
Malone agreed with Geraghty, of the National Center for Missing & Exploited Children, that it's fairly common for someone, when viewing adult pornography on a Web site, to inadvertently receive pop-ups that may include images of child porn.
"It's possible to tell if something was opened or saved to a file from the cache," Malone said. Investigators can usually figure out if an image was downloaded intentionally, based on other activity that took place on the computer at the time, he said, adding that it's incumbent on both prosecutors and defense attorneys to launch a thorough investigation that includes analyzing a copy of the hard drive to determine not just which images are stored within, but also how they got there.
Geraghty said it's important to look at other factors. "The computer holds a lot of information about the searches that someone runs. If there were none of those searches and nothing else but some images in the cache, you would question how they got there. You would look for collaborating evidence such as intent to visit the site (and capability) of visiting the site. Did he have knowledge?"
A good investigation will look for exculpatory evidence to see if there are other explanations for the images. That investigation, Geraghty said, should start with making one or more exact copies of the suspect's hard drive and examining those copies to look for evidence of malicious software that could be responsible for the images. Defense attorneys can also gain access to a copy of the drive, but because it may contain illegal child porn images, their experts will probably have to examine the drive at the police station or prosecutor's office; possession of those images--regardless of the reason--is illegal for anyone other than personnel granted immunity.
Burden of proof
"In each case, the prosecution will need to prove (that) the defendant knowingly and intentionally possessed, received, or distributed child pornography," according to Drew Oosterbaan, chief of the Child Exploitation and Obscenity section of the Justice Department. "The proof starts with establishing that the images involved are child pornography and ends with establishing that the person charged is criminally responsible for it. We prove the latter in myriad ways."
Oosterbaan said that when someone is charged with possessing child pornography on his computer, "the computer is, in many ways, a crime scene, and the forensic examination of that computer is critical to meeting the elements of proof in the prosecution." He added that "it's important to remember that in every case, the government carries the burden of proof."
Oosterbaan said he is not aware of any cases in which botnets were used to plant child porn on other people's computers.
A former federal prosecutor now working for a technology company, who requested anonymity, said this may become a bigger issue as we enter the era of cloud computing, in which more and more data is stored on Internet servers instead of hard drives.
"There is no question that perpetrators are going to look for places to hide their criminal activity, including child porn, because they're increasingly aware that if law enforcement comes to their house, they will see the material," the former prosecutor said, adding that companies in the cloud storage business need to be aware that their systems could be used for illegal purposes. "They should reach out to the National Center for Missing & Exploited Children to implement a system to compare uploaded files against hash marks (digital fingerprints) of known child porn images."
As with any other security issue, the best defense is to protect your machine against intrusions. This includes:
- Making sure that your operating system and regularly used software are up-to-date.
- Using good software addressing malware, phishing attacks, and/or spam, and keeping it up to date. Subscriptions to paid programs should be renewed.
- Being cautious about spam and about providing information to sites you navigate to from links within even the most legitimate-appearing e-mails.
Disclosure: I serve without compensation as a board member at the National Center for Missing & Exploited Children, which deals with child porn cases. Still, I don't necessarily agree with all NCMEC policies, nor do I speak on behalf of the organization.
