55% of malware are Trojans (Source: Panda Labs)

Panda Labs 3rd Quarter 2010 threat report (PDF) found that 95% of all email is spam. It also said that Trojans constituted 55% of all new threats but infections via email are declining in favor of increased attacks via social networking sites including attacks associated with Facebook’s “Like” button.

The Facebook Like button allows developers to use Javacript which can also be used by bad guys who use clickjacking exploits, to trick users into “liking” a page and then automatically recommending it to all their Facebook friends.

There are also increased attacks via Google’s Android phones including scams that cause people to rack up phone bills with dubious services and attacks that disclose users’ geolocation to a third party.

Monsters of a Different Kind

The report also said there were Black Hat SEO attacks aimed at searches for Moshi Monsters, a very popular search term for children interested in “adopting their very own pet monsters.” Trouble is, some kids were encountering monsters of a different kind — ones that put malicious software on their computers. Blackhat SEO is when sites get optimized for search engines using illegitimate techniques such as packing long lists of keywords into a site designed to trick search engines into linking to them even if they have no real content related to that search.

There has also been an increase in worms spreading via USB drives. The report said that “25% of new worms are designed to spread via USB devices.

The “top” spamming country is India followed by Brazil, Russia and Ukraine. The United States is the eighth most spamming country.

India tops the list of spamming countries (Source: Panda Labs)

by Larry Magid
This article first appeared on CNET News.com

Worm goes after power plants, pipelines and other facilities

The Stuxnet computer worm that may have been designed to attack a nuclear facility in Iran could have been state sponsored, according to two security experts with whom I spoke.

“We can tell by the code that it’s very, very complex to the degree that this type of code had to be done, for example, by a state and not, for example, some hacker sitting in his parents basement,” said Symantec security researcher Eric Chien.

Chien added, however, that “there’s nothing in the code that points to the particular author” or “what their motivation is.” (Scroll down to listen to entire Chien interview.)

TrendMicro security researcher Paul Ferguson agrees that Stuxnet was likely state-sponsored. “The amount of technical expertise that went into this doesn’t appear to have been by some random lone individual person because they would have had to have access to these systems to develop this.”

Not necessarily aimed at Iran nuke
Ferguson could not confirm that the target was an Iranian nuclear plant. “That is purely speculation at this point, there have been lots of theories as to what the target was.” He said it could also have been aimed at oil and gas facilities or other installations that use Siemens control systems, which were specifically attacked, he said. (Scroll down to listen to entire Ferguson interview.)

Serious threat
Both Chien and Ferguson said this type of code is a major security concern. “For the broader population, this is definitely a new generation of attack. We’re not talking any more about someone stealing someone’s credit card numbers, what we’re talking about is someone being able to, for example, cause a pipeline to blow up or cause a nuclear centrifuge to go out of control or cause power stations to go down. So we’re not taking about virtual or ‘cyber’ sort of implications here, what we’re talking about are real life implications.”

Ferguson said “it is a big deal because the utility companies, and manufacturing communities and the power companies and gas and oil companies for years have been using closed propriety systems to manage their infrastructure and over the course of the past few years they’ve been making business decisions to use off-the-shelf software like Windows.” He added that now we’re seeing the same threat as with other networks as facilitates are connected to the Internet or allow access to thumb drives. This type of threat, according to Ferguson, is “absolutely new and that’s why a lot of people in the intelligence community, in the Department of Homeland Security and different governments around the world are really kind of spooked by this development. It shows the targeted nature and sophistication of the criminal/espionage aspect to this.”

Podcast interviews with Chien and Ferguson

Click links below to listen to separate podcast interviews with Symantec’s Eric Chien and TrendMicro’s Paul Ferguson.

Symantec’s Eric Chien

TrendMicro’s Paul Ferguson

It’s time to modernize school technology
(Credit: London School of Economics, 1981 — via Flickr Creative Commons)

The Federal Communications Commission on Thursday voted to modernize E-Rate. E-Rate was established in 1996 to provide federal subsidies to schools and libraries for telecommunications and Internet access. Back then, many schools were still on dial-up and the broadband available was sluggish by today’s standards. What’s more, the Internet was something people accessed from desks, not mobile devices.

Under the new rules, schools will be encouraged to upgrade to 1 gigabit, which is a thousand times faster than the 1 megabit service that many schools use today.

Mobile and Community Access

Another provision of the new rules provides pilot program for mobile access. Although still relatively rare, some schools are using smartphones, iPads, iPod Touches, Netbooks and laptops as part of the learning process and now at least a few schools will be able to use E-Rate funding to equip students with devices that let them access learning materials not only from school but from home, in-between school and home or wherever they happen to be. In a speech he gave on Monday at Common Sense Media’s “Back to School Event” in Mountain View, California, FCC Chairman Julius Genachowski talked about how mobile technology can replace the “50 pound backpacks” full of books that many of our kids are carrying. For more on mobile learning see Cellphones & school: a great mix by Anne Collier who is editor of NetFamilyNews and my co-director at ConnectSafely.org.

Another provision of the new rules allows schools to offer broadband services to local communities during non-school hours. In theory it might be possible for schools to set up their wireless networks for their neighbors, especially now that the FCC also approved so-called “Super WiFi” which uses the white space between TV channels as unlicensed spectrum for signals that can travel much further than current WiFi.

Schools Can Still Over-Block

One issue that the agency didn’t address is that a 2000 federal law, The Children’s Internet Protection Act (CIPA), requires schools and libraries that receive E-Rate to filter Internet access to prevent kids from accessing “visual depictions deemed obscene, pornographic, or harmful to minors.” While I have no qualms about blocking porn and gratuitous violence, it’s unfortunate that the filters at many schools also block access to social networking sites, including Facebook.

While it is certainly possible for students (and the rest of us) to waste precious time on Facebook, there are also plenty of educational opportunities afforded by Facebook and other social networking tools. Away from school kids are using these tools not only to socialize, but to share their creative works and to collaborate on projects. If schools are truly going to prepare youth for living, learning and working the the 21st century, they have to embrace 21st century technology which means more than just putting them in front of computers or even mobile devices to consume learning materials. Kids also need to be encouraged to create content and share it with others. They do that anyway, so why not make it part of what they do at school with appropriate supervision, guidance and educational incentives.

My Interview with FCC Chairman

Julius Genachowski

For more on this, please read about and listen to my recent CBS News & CNET interview with FCC Chairman Julius Genachowski.

Participants from throughout the world are gathered in Vilnius, Lithuania, this week for the fifth-annual Internet Governance Forum.

The IGF is an annual United Nations-sponsored event where representatives from governments, nonprofits, academic institutions, and businesses worldwide discuss a broad range of policy issues including online safety, privacy, rights of children, equality issues and other topics pertaining to the way the Internet is affecting every country.

The goal of IGF is “to foster the sustainability, robustness, security, stability and development of the Internet.”

In addition to covering the event, I’m on a panel about the youth safety implications of location-based services via GPS-enabled mobile phones.

One opening day panel was about “The Future of Privacy,” where speakers looked at data retention and other privacy issues from a European and American perspective.

Among the issues discussed was the question “should there be an expiration date on personal information?” — or as one participant put it, “the right to be forgotten.”

I’m not sure I completely agree. While I do support the idea of limiting the amount of time that companies can store data on individuals, I don’t think that all Internet records should be purged just because a certain amount of time has passed.

If a politician, for example, makes a statement when running for public office and then runs for other offices years later, voters in that subsequent election deserve to know his or her record. It might, however, make sense to give adults the right to purge anything said about them from before they were 18, just as we usually purge criminal records of young offenders.

Kevin Bankston of the Electronic Frontier Foundation (Credit: EFF)

Although I didn’t have to go all the way to Eastern Europe to listen to a speaker from San Francisco-based Electronic Frontier Foundation, I was most interested in comments from EFF’s Senior Staff Attorney Kevin Bankston.

Bankston outlined what he called three outdated privacy dichotomies.

The first is the notion — codified in U.S. law — that data stored in your own home or office computer deserves a higher level of privacy protection than data stored “in the cloud,” or any type of Internet-based storage system including services like web e-mail. The “cloud” is for all practical purposes an extension of your desktop computer, so providing the government with easier access to cloud data than data stored on personal hard drives makes no sense.

Another old fashioned dichotomy is real time wiretapping vs. surveillance of past communications. Bankston said that it’s easier for law enforcement to get access to five years’ worth of past e-mail than to get a wiretap order to listen to phone conversations for the next 30 days. Bankston argues that access to past e-mails may provide a lot more information about you — including things that are likely to have nothing to do with an actual criminal investigation — than a month’s worth of phone calls.

“The law should provide equally strong protections for you stored communications as it protects you against wiretapping of your communications as they happen,” he said.

It’s also a false dichotomy for the law to distinguish between the actual content of your communications — such as what you’re saying on the phone — and non-content transactional data about your communications, such as the phone numbers you dial. In phone surveillance, it’s a lot easier for police officers to get their hands on who you’ve talked with than recordings or transcripts of the actual conversations.

While that might have made some sense with telephones, Bankston says it makes no sense with Internet communications. He refers to an MIT study that showed that knowing who one’s Facebook friends are can accurately predict a person’s sexual preference

Another speaker, Hugh Stevenson of the U.S. Federal Trade Commission, talked about the need for privacy policies and pointers to be “contextually relevant.”

Instead of a website having a long privacy policy that no one reads, the site should present users with privacy information at each point when they are about to take action that could reveal information.

And, of course, privacy policies need to be clearly written and reasonably concise. A 50-page document that requires you to click on a box to claim you’ve read it before you can sign up for a service doesn’t cut it.

I’ve now had a couple opportunities to play with with Galaxy Tab Android tablet that Samsung announced at the IFA consumer electronics show in Berlin. And while a few minutes of usage at a trade show is not the same as taking it out for a test drive, it’s enough to get some first impressions.

My initial reaction is mostly positive. After using the Apple iPad with its 9.7-inch screen and many smart phones with 3 or 4 inch screens, I was a little skeptical about the idea of a 7-inch tablet yet I found that there was enough screen real estate to happily browse the web and read books though I only had time to read about a page using the device’s bundled Kobo e-reader which looks a lot like the Apple’s iBooks app).

Apple iPad next to Samsung Galaxy Tab. Both in portrait mode (Photo: Larry Magid)

Kobo e-reader on Samsung Galaxy Tab (Photo: Larry Magid)

3G Video Conferencing as Easy of Facetime

The user interface on the Tab’s video conferencing feature rivals that of Apple’s Facetime which is currently only available on the iPhone 4 and the soon-to-be-shipped new iPod Touch. But, unlike Facetime, the Tab allows you to make a video call over 3G networks rather than only via WiFi. I had a chance to test that at the T-mobile booth at IFA (confirming that T-mobile will sell the Tab, at least in Germany). To my delight, iniating a video call is very easy. It’s simply one the options in the standard phone dialer app.

Simply touch “Video call” to initiate a video conference (Photo: Larry Magid)

Because the one test call I made was via a 3G cellular network and not WiFi broadband, there were some delays and the video was a bit choppy but it was better than I expected.

Larry (bottom screen) chats with tech-blogger Steve Wildstrom at T-mobile booth at IFA

Web Browsing

The good news about web browsing on the Tab is that the screen is large enough to give you an experience more or less on par with an iPad or even a PC. The bad news, which my colleague Steve Wildstrom pointed out to me, is that the Android 2.2 browser “identifies itself to websites as a mobile browswer so the sites scale the image for a 3-inch display.” It would be very simple for Google to modify the browser so it brought up full sites rather than mobile versions but it’s not clear whether Google will do that during the life-cycle of the Tab. Samsung confirmed that it is working on a separate tablet that will run Google’s as-yet-unannounced HoneyComb version of Android, optimized for tablets but current versions of Android are not designed for larger screens. Still, most apps seems to look pretty good on this device though Samsung has admitted that some don’t work well on this sized screen.

General Impressions

I’m pleased that Samsung has created what feels like a serious attempt to create a new subcategory of tablet computing which is more suitable to mobile applications than the Apple iPad. With its 7-inch screen and form factor of 7.5 by 4.7 by .5 inches it is small enough to easily hold in one hand and use even as you walk around. Although it has a phone, I don’t see many people using it to make phone calls and if they do, they are almost certainly going to want to use a headset or use it as a speaker phone.

I’m also glad to see the phone support Flash so users will be able to enjoy video and other Flash applications that remain quite popular on the web and, as an Android device, it’s nice to know that it will be able to run most of the tens of thousands of apps that are available for that platform. I am, however, concerned that there may be apps whose display is simply not optimized for this screen size. That’s also true with the iPad which allows you to double the size of iPhone apps so that they are larger, albeit grainier. My hope is that Google figures out a way to let apps scale to work on any sized screens and that app developers find ways to create apps that will work well on a variety of form factors.

For another perspective on the Galaxy Tab, see Harry McCracken’s post on Technologizer.com