Social-networking sites like Facebook and Twitter can expect more attention from cybercriminals in 2010, according to a new report (PDF) released Tuesday by McAfee Labs. Also at risk are users of Adobe Systems products including Acrobat Reader and Flash. And move over Microsoft; the security firm predicts that Google’s Chrome OS will “create another opportunity for malware writers to prey on users.”

The company also anticipates smarter and more dangerous Trojans that “follow the money,” as well as a “significant trend toward a more distributed and resilient botnet infrastructure that relies much more on peer-to-peer technologies.”

In a recorded interview (scroll down for audio) David Marcus, McAfee Labs’ director of security research and communications, said that he expects “an explosion of Facebook and other services targeted by cybercriminals.” In addition to malware like Koobface that spreads among Facebook users’ friends list, Marcus expects an increase in rogue Facebook applications.

“When you click yes to ‘do you want to allow this application to access your Facebook account,’ you’re giving that application access to all the data in your Facebook account,” he said. Facebook vets the third-party applications that it distributes, but rouge developers are finding other ways to get people to install unauthorized apps.

“A lot of the spammers and scammers will send fake Facebook application requests to users’ inboxes,” he said. Marcus recommends that you only install apps from within Facebook by clicking “browse more applications” in the Facebook application installer.”

Twitter vulnerabilities
According to McAfee, Twitter is vulnerable mostly because of URL-shortening services like bit.ly and tinyurl.com. There’s nothing wrong with Twitter or these services, but when you click on a shortened URL you have no idea where you’re going until after you get there. I would like to see a URL-shortening service that vets each URL for security and rejects those that are potentially dangerous. Twitter, according to the McAfee report is “also serving as a control vehicle for botnets.”

Criminals are now being more surgical in their attacks, singling out individuals and corporations as targets. The report points to the 10-month investigation of “GhostNet,” which McAfee Labs describes as a “network of at least 1,295 compromised computers in 103 countries” that “primarily belonged to government, aid groups, and activists.” The malicious code was delivered by e-mail with subject headings related to the Dali Lama and Tibet, according to the report.

The report also sites “a very targeted wave of attacks against the management of major companies,” as well as attacks carried out against “journalists from various media organizations, including Agence France Press, Dow Jose and Reuters based in China.”

Adobe products and Google Chrome vulnerable
Adobe products, especially its Acrobat Reader and Flash, are likely to replace Microsoft Office as the No. 1 software target, according to McAfee. It’s nothing they’ve (Adobe) done wrong,” Marcus said. “The bad guys go where the masses go” and because of the increasingly widespread use of Adobe products, “that tends to be what the bad buys will start looking to exploit. It really is nothing more sophisticated than that.”

Criminals are infecting PDF files and leveraging exploits in the opening of PDF documents, according to Marcus.

“Instead of viewing a PDF you’re actually taken to a website that downloads some type of malware to your machine.” Adobe plans to patch a critical hole in Reader and Acrobat on January 12.

There is also concern about Google’s Chrome operating system, which is expected to be officially released in 2010. Chrome, which will run Web-based applications, is likely to be vulnerable to attacks in HTML 5–the newest version of the hyper-text markup language that, says the report, “holds all the promises that today’s Web community seeks–primarily blurring and removing the lines between a Web application and a desktop application.”

McAfee also warned of banking Trojans with “new tactics that went well beyond the rather simple keylogging-with-screenshots” that were used earlier. Trojans now use rootkit techniques to hide on a victim’s system to disable antivirus software.

“Often the victim’s computer becomes part of a botnet and receives malware configuration updates,” the report said.

For more on the threats on Facebook and Twitter read “Using Facebook and Twitter safely” on CNET.

Cause for optimism
The report did end with some optimism, calling 2009 a good year for law enforcement. In November 2009, the U.S. Department of Justice indicted nine individuals “from Russia, Moldova, and Estonia who were allegedly responsible for $9 million in customer payroll data compromises at RBS WorldPay.”

The year also “saw the conviction of the infamous “Godfather of Spam,” Alan Ralsky of Michigan, and his criminal syndicate, which was responsible for generating a significant portion of the world’s unsolicited e-mail,” McAfee said.

“You started to see that not a lot of resiliency was built into some of those botnets, they were taken down, and poof they disappeared for very long periods of time,” Marcus said. He said he thinks “the bad guys will learn from that and build in some redundancy,” but he remains optimistic. “The good guys and regular users are getting tired of getting exploited and we’re finally starting to see more offensive and aggressive take downs of botnets…we’re starting to see people wanting to take back the Internet.”

by Larry Magid

Some people say the first decade of the 21st century ends this week. Others say it extends until the end of 2010. Either way, the past 10 years were a momentous period for technology.

Not only was there no iPhone a decade ago, there was hardly anything that could be considered a smartphone. The BlackBerry was introduced in 1999, when the well-heeled techno-savvy were carrying around flip phones.

That year, 1999, was the height of the dot-com boom. But when you look back at it, the online world was nothing like it is today. There was no Facebook (founded in 2004) or Twitter (2007). Even MySpace wasn’t founded until 2003. The term Web 2.0 hadn’t been coined and most people who were online used the Web mostly to consume information. Those with the skills and resources to post to the Web were called “Webmasters.” Today, everyone with a Facebook account is a master of his or her own Web.

Ten years ago AOL was the most popular Internet service provider and was so successful that it was able to purchase media giant Time Warner in January 2000 for $182 billion in stock. But the marriage didn’t make it through the decade. The two companies formally split up this month, with AOL, once again, being traded on the New York Stock Exchange as a separate company. AOL thrived in the ’90s because people were using the service to go online via phone. Today most American homes have broadband.

In 1999, most television sets sold still had cathode ray tubes. The first nationwide HDTV broadcast took place in 1998 when the cheapest high-definition sets were selling for more than $6,000

Yet, despite enormous industry hype and plenty of movie titles, sales of stand-alone Blu-ray players are still relatively low and movies on Blu-ray discs, according to The Wall Street Journal, represented only 11.5 percent of studios’ in-home video revenue as of September. Blu-ray players are now available for under $130 but they may be entering the mainstream just in time to be irrelevant.

Increasingly, consumers are streaming their movies and TV shows via the Internet and avoiding the need for physical media. Indeed, Netflix — the DVD’s best friend — is a strong proponent of streaming video, offering unlimited access to thousands of titles that can be streamed to computers or TV sets equipped with devices such as the Roku, PlayStation 3, Xbox 360 and some compatible TiVo models.

When the decade started, the most up-to-date Windows operating system was Windows 98. Windows XP came out in 2001. Microsoft launched Windows Vista in January 2007 but consumers never took to it. It wasn’t until October of this year that Microsoft finally came up with what promises to be a winner with the release of Windows 7.

At the start of this decade Mac users were on Mac OS 9. The first desktop version of the current Mac operating system, OS X was launched in 2001.

Downloadable music is ubiquitous today but the iTunes music store wasn’t launched until 2003. By 2008 it surpassed Wal-Mart as the No. 1 music retailer in the U.S.

Napster was the most popular source of music downloads in 1999, but it was a short ride for the company, which was forced to close its doors in 2001 after being sued by the Recording Industry Association of America. Napster’s assets, including its name, were bought for $5 million in 2002 by Roxio. But in 2008 retailer Best Buy acquired it for $121 million.

In 2000, federal Judge Thomas Penfield Jackson officially ruled that Microsoft was a monopoly and for a while it looked as if the Justice Department would seek to have the company split in two. But in November 2001, Microsoft and the Justice Department reached a settlement. One concern at the time was whether Microsoft would use its immense power to dominate the Internet. Few people then put much stock in the prospects of a small startup called Google that was run by a couple of Stanford graduate students. Now Google is being investigated by the Federal Trade Commission for its own alleged antitrust behavior.

I spent New Year’s Day morning 2000 at Hewlett-Packard watching CEO Carly Fiorina declare that the turn of the century came and went without a major technology meltdown. Leading up to the new century, some doomsayers worried that the “millennium bug” or “Y2K” would wreak havoc on the world’s computers at the stroke of midnight because computer clocks would think it was 1900. It turned out to be a non-event though it did force a lot of companies to revise their software in time to avoid problems.

One of the most notable inventions of the decade was the Segway. When the gyroscopically controlled scooter was unveiled by inventor Dean Kamen on ABC-TV’s “Good Morning America” in December 2001, it was hailed as a major revolution in transportation. The Segway never really took off as a mass-market device, though I have spotted a few businesses around the world using them to take tourists around cities, and have noticed an occasional mall cop using them as an alternative to walking a beat.

I’m not even going to try to predict what the next 10 years will look like, other than to assume that the pace of change is likely to increase.

If you go to Google and click “I’m feeling lucky” without typing anything in the search box you’ll see a number counting down by seconds.  It was a mystery number until I did the math.  Here’s what I did.

I used Excel to divide that number by 60 to turn it into minutes and then by 60 again to turn it into hours. I divided that number by 24 to turn it into days (and fraction of a day).  Then I used Excel’s time & date function to calculate the exact time (“now”) and added that to the number.  Sure enough, the result was 1/1/2010 00:00.

It’s no longer a mystery.  It’s the number of seconds until 2010.

The results of clicking "I'm feeling lucky" around 6:07 PM (PT) on Dec 14th

Facebook last week launched some privacy settings that give users the option of targeting individual posts to specific people or groups of people. But most significant about the new settings, I think, is that they require every one of Facebook’s 350 million users to run a “transition tool” to review their old settings and decide whether to select new ones.

This isn’t an optional step. Users will be able to “skip for now” the privacy wizard on the first encounter, but they’ll eventually be required to complete it to access their Facebook accounts.

Unless you want to customize the settings, it’s possible to zip through this privacy wizard quickly. But at least it forces you to think about privacy — if only for a minute or two — as a condition of being able to continue to use the service.

As I thought about how to configure my own privacy settings, I realized how little thought I typically give to such questions as who on Facebook gets to see information about my family and relationships, my work and education, and the posts that I create. Going forward, I’m sure I’ll stop thinking about these issues but — for a moment — they were upfront and center.

It reminds me of how many things we do on the Web without really thinking about them. Just about every site we interact with has some type of privacy policy, but how many of us actually read them? I sometimes skim the policy if it’s a site that’s asking for

personal information, but skimming — especially for a non-lawyer like me — is far from understanding. And truth be told, there are times when I’ve failed to even click on a site’s privacy policy.The same is true with “terms of service,” or TOS. These terms — which are on Facebook, MySpace and just about any other site where users are allowed to enter information — are actually a contract. Your responsibility is to read them, understand them, and either agree to them or not use the site. But like those long and complicated rental car contracts that very few people read or those signs at parking lots that say “This Sign Constitutes a Contract — Read It,” most of us never do.

Then there are those EULAs, which stands for “End-User License Agreement.” They’re on almost all software packages, some Web sites and some free plug-ins that we download from the Internet.

Several years ago the Web site PCPitStop.com included a clause in one of its own EULAs associated with free software that promised anyone who read it a “consideration,” including money, if they sent a note to an e-mail address listed in the EULA. Over four months, more than 3,000 people downloaded the software, but only one person followed up with an e-mail. That person was rewarded with a check for $1,000.

This experiment was conducted during the height of the spyware epidemic in which businesses were giving away free avatars, emoticons, password trackers and other software in exchange for getting user permission to put all sorts of advertisements in your face. While spyware has diminished, those days are not completely behind us.

I’m not trying to beat up on people for being in a hurry to get that software or log into the cool site, but perhaps we should pay a little more attention to what we’re “signing” with a click of a mouse.

The Facebook solution is far from perfect. It, too, has its default. And if you rush through it, you’ll wind up exposing much of your content to “everyone” rather than the more granular “friends” or “friends of friends.” And some people might not notice that Facebook has changed its privacy policy to make some information public for all its users, including name, profile picture, gender, networks you belong to, friend lists, and pages you affiliate with.

Facebook has a good argument for making this information available — it helps others find you even if you have a common name. But it takes away the user’s option of hiding this information, though you can leave some of these fields blank. Bottom line: Even with Facebook’s more transparent privacy settings and forced transition tool, users are going to have to be alert.

At the end of the day, it’s all about people thinking critically before they click or volunteer information. While I don’t suggest we all go out and hire lawyers to read every EULA and TOS put in front of us, I do think we need to slow down just a bit and put a little more thought into what we’re doing and disclosing online.

Going forward, I hope other sites take their cue from Facebook and work harder to make sure people have to put a bit of thought into their privacy and security, and what they’re giving in exchange for what they’re getting from the site.

Facebook users are about to see an unfamiliar screen when they sign on to the service–a request to configure their privacy preferences. But it’s not really a request. It’s a requirement.

“As far as we know, it’s the first time in the history of the Internet,” said Facebook spokesman Simon Axten, “that so many people have been required to make affirmative decisions about their privacy.”

The company on Wednesday provided details of the changes that CEO Mark Zuckerberg blogged about last week. These include eliminating regional networks and giving users more granular control over who can see individual pieces of content while making some basic profile information available to everyone. Also, Facebook is simplifying what this blogger and others have criticized as overly complex privacy controls, but it is also requiring members to make some information available to the public.

All Facebook users will be asked to configure privacy settings
(Credit: Facebook)

Controversial privacy history
Over the years, Facebook has been the subject of criticism, lawsuits, and threatened federal action over various changes to its privacy policy.

In 2007, Facebook announced its Beacon advertising service, which broadcast member activity on partner sites to their Facebook friends. If you bought a movie ticket on Fandango, for example, all of your Facebook friends would immediately know about it. The Beacon program unleashed a campaign from consumer advocacy groups including MoveOn.org as well as a class action law suit that was settled this September. As part of that settlement, Facebook agreed to shut down Beacon and to donate $9.5 million to an independent foundation to “fund projects and initiatives that promote the cause of online privacy, safety, and security.”

In February of this year, Facebook found itself at the center of another privacy storm after it announced a change in its policy that would give the company seemingly perpetual control over user-supplied content. That prompted the Electronic Privacy Information Center to threaten filing a complaint with the Federal Trade Commission and also led to the formation of a Facebook group called People Against the new Terms of Service that attracted nearly 150,000 members protesting the changes. The uproar caused the company to rescind those changes and resulted in CEO Mark Zuckerberg holding a press conference where he announced that the company would create “a new approach to site governance” so that its decisionmaking would be more transparent.

Mandatory privacy settings
All users will soon be confronted with a “privacy announcement” informing them that they must configure their settings. Initially, you will be able to “skip for now” but you will later be required to go through the steps in order to continue using the service, according to Axten.

To encourage people to share information, Facebook has set the default to “everyone,” but you can later go back to set more restrictive settings. You can also keep your old settings. If you’re not sure what they are, you can display them by hovering over the radio button.

New Facebook privacy setting page
(Credit: Facebook)

In the final step, Facebook displays your settings and gives you a chance to change them. At this point or at any time in the future you will be able to adjust any of your settings

Final stage verifies new settings.
(Credit: Facebook)

The Facebook settings will be based on four basic levels: friends, friends of friends, everyone, and customize. If you belong to a network, you will also have the setting friends and networks. As before, you will also be able to customize settings to include or exclude specific friends or groups of friends.

Some information must be publicly available
Some information–including name, profile picture, gender, current city, networks you belong to, friend lists, and pages you’re a fan of–will be available to everyone. The only way to keep that information from the general public is to not include it as part of your Facebook profile. Users also have the ability to limit what can be found via a search on Facebook and what information Facebook will make available to search engines like Google and Bing.

According to Axten, that information is being made publicly available to make it easier to find people using Facebook search, especially people with common names. If you locate a “John Smith” in a Facebook search, seeing his picture and knowing where he lives can make it easier to pinpoint the right person. Though not mandatory, Facebook, according to a spokesperson, is encouraging people to make other information public such as where they went to school or where they work. However Axten added that if a user had previously configured their privacy settings, they should keep what they already have.

While adults have the option of making content available to everyone, the maximum exposure available to users under 18 will be friends of friends or school networks.

Control over who gets to see your posts
The most important change is that you will now be able to specify who can see each piece of your content including status updates, photos, and videos. Each time you add content, you’ll be able to determine whether it can be seen by everyone, friends and network, friends of friends, only friends, or a custom setting. Customized settings allow you to include or exclude individual people or lists of people. For example, one could share last night’s exploits with his fraternity brothers but not with his fellow church members or office mates. The list feature, which has long been available, allows you to divide your friends into groups. For example, as a journalist, I encourage readers to “friend” me at Facebook.com/larrymagid, but I also maintain a list of “real world friends.”

Third-party application settings
As in the past, you will have some control over the information that can be seen by operators of third-party Facebook applications. Facebook has added the ability to fully block an application from accessing any information but, in most cases, that will disable the application.

Facebook’s Axten said that application developers will have access to all publicly available information, but can only access other information with the user’s permission. Applications are also required to only access user information that is essential for them to run. The company, said Axten, has an enforcement squad to ensure compliance.

Facebook is also launching a new Privacy Center that will offer “a comprehensive guide that helps users understand and control how they share information.”

Disclosure: Facebook is one of several companies that provides support to ConnectSafely.org, a nonprofit Internet safety organization I help run.

This article originally appeared on CNET News.com