Social-networking sites like Facebook and Twitter can expect more attention from cybercriminals in 2010, according to a new report (PDF) released Tuesday by McAfee Labs. Also at risk are users of Adobe Systems products including Acrobat Reader and Flash. And move over Microsoft; the security firm predicts that Google’s Chrome OS will “create another opportunity for malware writers to prey on users.”

The company also anticipates smarter and more dangerous Trojans that “follow the money,” as well as a “significant trend toward a more distributed and resilient botnet infrastructure that relies much more on peer-to-peer technologies.”

In a recorded interview (scroll down for audio) David Marcus, McAfee Labs’ director of security research and communications, said that he expects “an explosion of Facebook and other services targeted by cybercriminals.” In addition to malware like Koobface that spreads among Facebook users’ friends list, Marcus expects an increase in rogue Facebook applications.

“When you click yes to ‘do you want to allow this application to access your Facebook account,’ you’re giving that application access to all the data in your Facebook account,” he said. Facebook vets the third-party applications that it distributes, but rouge developers are finding other ways to get people to install unauthorized apps.

“A lot of the spammers and scammers will send fake Facebook application requests to users’ inboxes,” he said. Marcus recommends that you only install apps from within Facebook by clicking “browse more applications” in the Facebook application installer.”

Twitter vulnerabilities
According to McAfee, Twitter is vulnerable mostly because of URL-shortening services like bit.ly and tinyurl.com. There’s nothing wrong with Twitter or these services, but when you click on a shortened URL you have no idea where you’re going until after you get there. I would like to see a URL-shortening service that vets each URL for security and rejects those that are potentially dangerous. Twitter, according to the McAfee report is “also serving as a control vehicle for botnets.”

Criminals are now being more surgical in their attacks, singling out individuals and corporations as targets. The report points to the 10-month investigation of “GhostNet,” which McAfee Labs describes as a “network of at least 1,295 compromised computers in 103 countries” that “primarily belonged to government, aid groups, and activists.” The malicious code was delivered by e-mail with subject headings related to the Dali Lama and Tibet, according to the report.

The report also sites “a very targeted wave of attacks against the management of major companies,” as well as attacks carried out against “journalists from various media organizations, including Agence France Press, Dow Jose and Reuters based in China.”

Adobe products and Google Chrome vulnerable
Adobe products, especially its Acrobat Reader and Flash, are likely to replace Microsoft Office as the No. 1 software target, according to McAfee. It’s nothing they’ve (Adobe) done wrong,” Marcus said. “The bad guys go where the masses go” and because of the increasingly widespread use of Adobe products, “that tends to be what the bad buys will start looking to exploit. It really is nothing more sophisticated than that.”

Criminals are infecting PDF files and leveraging exploits in the opening of PDF documents, according to Marcus.

“Instead of viewing a PDF you’re actually taken to a website that downloads some type of malware to your machine.” Adobe plans to patch a critical hole in Reader and Acrobat on January 12.

There is also concern about Google’s Chrome operating system, which is expected to be officially released in 2010. Chrome, which will run Web-based applications, is likely to be vulnerable to attacks in HTML 5–the newest version of the hyper-text markup language that, says the report, “holds all the promises that today’s Web community seeks–primarily blurring and removing the lines between a Web application and a desktop application.”

McAfee also warned of banking Trojans with “new tactics that went well beyond the rather simple keylogging-with-screenshots” that were used earlier. Trojans now use rootkit techniques to hide on a victim’s system to disable antivirus software.

“Often the victim’s computer becomes part of a botnet and receives malware configuration updates,” the report said.

For more on the threats on Facebook and Twitter read “Using Facebook and Twitter safely” on CNET.

Cause for optimism
The report did end with some optimism, calling 2009 a good year for law enforcement. In November 2009, the U.S. Department of Justice indicted nine individuals “from Russia, Moldova, and Estonia who were allegedly responsible for $9 million in customer payroll data compromises at RBS WorldPay.”

The year also “saw the conviction of the infamous “Godfather of Spam,” Alan Ralsky of Michigan, and his criminal syndicate, which was responsible for generating a significant portion of the world’s unsolicited e-mail,” McAfee said.

“You started to see that not a lot of resiliency was built into some of those botnets, they were taken down, and poof they disappeared for very long periods of time,” Marcus said. He said he thinks “the bad guys will learn from that and build in some redundancy,” but he remains optimistic. “The good guys and regular users are getting tired of getting exploited and we’re finally starting to see more offensive and aggressive take downs of botnets…we’re starting to see people wanting to take back the Internet.”

Facebook last week launched some privacy settings that give users the option of targeting individual posts to specific people or groups of people. But most significant about the new settings, I think, is that they require every one of Facebook’s 350 million users to run a “transition tool” to review their old settings and decide whether to select new ones.

This isn’t an optional step. Users will be able to “skip for now” the privacy wizard on the first encounter, but they’ll eventually be required to complete it to access their Facebook accounts.

Unless you want to customize the settings, it’s possible to zip through this privacy wizard quickly. But at least it forces you to think about privacy — if only for a minute or two — as a condition of being able to continue to use the service.

As I thought about how to configure my own privacy settings, I realized how little thought I typically give to such questions as who on Facebook gets to see information about my family and relationships, my work and education, and the posts that I create. Going forward, I’m sure I’ll stop thinking about these issues but — for a moment — they were upfront and center.

It reminds me of how many things we do on the Web without really thinking about them. Just about every site we interact with has some type of privacy policy, but how many of us actually read them? I sometimes skim the policy if it’s a site that’s asking for

personal information, but skimming — especially for a non-lawyer like me — is far from understanding. And truth be told, there are times when I’ve failed to even click on a site’s privacy policy.The same is true with “terms of service,” or TOS. These terms — which are on Facebook, MySpace and just about any other site where users are allowed to enter information — are actually a contract. Your responsibility is to read them, understand them, and either agree to them or not use the site. But like those long and complicated rental car contracts that very few people read or those signs at parking lots that say “This Sign Constitutes a Contract — Read It,” most of us never do.

Then there are those EULAs, which stands for “End-User License Agreement.” They’re on almost all software packages, some Web sites and some free plug-ins that we download from the Internet.

Several years ago the Web site PCPitStop.com included a clause in one of its own EULAs associated with free software that promised anyone who read it a “consideration,” including money, if they sent a note to an e-mail address listed in the EULA. Over four months, more than 3,000 people downloaded the software, but only one person followed up with an e-mail. That person was rewarded with a check for $1,000.

This experiment was conducted during the height of the spyware epidemic in which businesses were giving away free avatars, emoticons, password trackers and other software in exchange for getting user permission to put all sorts of advertisements in your face. While spyware has diminished, those days are not completely behind us.

I’m not trying to beat up on people for being in a hurry to get that software or log into the cool site, but perhaps we should pay a little more attention to what we’re “signing” with a click of a mouse.

The Facebook solution is far from perfect. It, too, has its default. And if you rush through it, you’ll wind up exposing much of your content to “everyone” rather than the more granular “friends” or “friends of friends.” And some people might not notice that Facebook has changed its privacy policy to make some information public for all its users, including name, profile picture, gender, networks you belong to, friend lists, and pages you affiliate with.

Facebook has a good argument for making this information available — it helps others find you even if you have a common name. But it takes away the user’s option of hiding this information, though you can leave some of these fields blank. Bottom line: Even with Facebook’s more transparent privacy settings and forced transition tool, users are going to have to be alert.

At the end of the day, it’s all about people thinking critically before they click or volunteer information. While I don’t suggest we all go out and hire lawyers to read every EULA and TOS put in front of us, I do think we need to slow down just a bit and put a little more thought into what we’re doing and disclosing online.

Going forward, I hope other sites take their cue from Facebook and work harder to make sure people have to put a bit of thought into their privacy and security, and what they’re giving in exchange for what they’re getting from the site.

by Larry Magid

This post originally appeared in the San Jose Mercury News

More and more people are using social networking sites, including, sadly, criminals seeking to take advantage of the rest of us.

Threats on those sites include applications and quizzes, as well as malware, worms and viruses. But the main risk, says Trend Micro’s Rick Ferguson, is information you post yourself that can jeopardize your privacy and your security.

Ferguson says that “we have a tendency on social networks to share more information that we need to.” While you may need to reveal which schools you went to and where you worked to connect with old school mates or colleagues, “you don’t need to share your date of birth, phone number and address,” Ferguson said.

The threats are not limited to Facebook or MySpace. Ferguson also warns users not to be lulled into a false sense of security when using professional networks like LinkedIn. “Because it’s a professional networking site, people give it more credibility and think it’s safer than other networks,” he said, adding that you put yourself at risk by “posting your entire résumé and exposing your business connections.”

Both Ferguson and Symantec safety education director Marian Merritt warn about online quizzes and applications that are popular on social networking sites.

“Every time you accept an application, you’re giving some third-party developer access to information in your profile,” Merritt said.

She warns that “quizzes are sometimes attached to fraudulent marketing companies.” She said her own teenage daughter took an IQ quiz and had to put in her cell phone number to get her score.

“She didn’t notice that the terms of service would sign her up for premium texting until the bill came.” Fortunately, this particular teenage girl has one of the most cyber-security-conscious moms on the planet, who convinced the carrier to stop the charges.

Some quizzes and surveys reveal far too much information. I recently came across a third-party survey that asks users to reveal “60 Things You Didn’t Know About Me” with such questions such as “What are you wearing?” “When was the last time you were drunk?” and “How often do you have sex?” With answers to questions like these on your profile, it doesn’t take a sophisticated hacker to derive information that he shouldn’t have access to.

Some Facebook users don’t seem to be aware of the difference between private messages and wall postings. I have a friend who is posting personal messages to family members’ walls, unaware that those messages are seen by all of the person’s Facebook friends.

Ferguson says to beware of applications that don’t seem to have any purpose other than to spread themselves. Some of these applications automatically send notices to all your friends, telling them that you’re using the applications and encouraging others to install them as well. In addition to spamming your friends, these applications could be gaining access to your profile information and displaying unwanted advertising to all who sign up.

Company spokesperson Simon Axten said Facebook has a team of people and software tools working to enforce rules for application developers. MySpace, according to a spokesperson, also employs a robust security team and tools, including software to block outgoing and incoming spam and warn users about potential phishing sites.

Facebook’s application development process, said Axten, “is relatively open to stimulate innovation and allow people to develop quickly.” But he said developers must agree to a set of rules which, among other things, prohibit them from sending messages on the users’ behalf.

Developers are now required to disclose what information they collect during the installation process, and Axten recommends that users “pay attention to those notices.” He said developers are allowed to collect only the information that they need to run the application, but that can sometimes include profile information and the profiles of your friends.

On all sites, be cautious about clicking on any links, especially those shortened ones that are commonly used on Twitter. If a link is shortened by bit.ly or tinyurl, you have no idea where it will lead you until after you click. Most security suites can warn you before your browser opens potentially dangerous Web sites.

There are other threats, including the Koobface worm, that can steal your password and send spam from your account. Most Internet security programs will protect you against this and other malware.

Users should also be careful about links that appear in posts and messages that could lead to phishing or malware sites. And put on your thinking cap before responding to a friend’s plea for money, even if it comes from your friend’s Facebook account and includes a horrendous story such as being stuck in an overseas jail. Try to reach your friend some other way before responding, because it’s likely a scam.

Disclosure: I am co-director of the nonprofit Internet safety organization, ConnectSafely.org, which receives support from Facebook, MySpace and other social networking companies.

All of the hoopla about Facebook’s controversial user policy sidesteps the point about what social Web users really need to know about protecting their privacy and intellectual property.

The latest controversy erupted last week after a blog trumpeted an otherwise largely ignored change in Facebook’s terms of service that would have granted Facebook an “irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license” to use your material and “use your name, likeness and image for any purpose, including commercial or advertising.”

Needless to say, the privacy and users’ rights community and a lot of bloggers were justifiably alarmed. The Electronic Privacy Information Center reportedly was on the verge of a federal complaint until Facebook decided to rescind the change Tuesday night.

But there was another clause in that short-lived policy that — depending on your reading — either clarifies or contradicts the rest of it. The legalese that gave Facebook perpetual rights was “subject only to your privacy settings” and those settings are hard-wired to limit exposure to your material.

Video – How to set Facebook privacy settings

The site’s privacy settings, in most cases, don’t even permit you to expose your information to everyone on the Web. By default, the settings typically show your profile and other data only to “My Networks and Friends.” While that might include a lot of people, it doesn’t include the entire world. So if Facebook is subject to its own privacy settings, it would be very limited in its right to distribute content from your page to anyone outside your network.

These settings can be modified, but most of them can only be tightened. With a few exceptions, you don’t even have the option to make a lot of your information available to the public at large. One exception is media files such as photos and videos, which, by default, can be viewed by “everyone.” But you can use privacy settings to restrict who can see your photos all the way down to specific friends or even “only me.”

The problem with Facebook’s privacy controls is that a lot of people don’t know about them, and even those who do might find them unintuitive to use. Facebook Chief Privacy Officer Chris Kelly agrees that the company has work to do in this area, and said they are developing a privacy wizard to make it a lot easier to set your controls.

In the meantime, you might want to hover your mouse over the ”Settings” tab near the upper-right corner and select Privacy Settings. There you’ll find options to control who can see your profile as well as other information about you, such as your “personal info,” status updates, photos, videos tagged of you and who your friends are. You can control who can see your profile within Facebook and you can turn off access to public search engines such as Google. There are plenty of other settings, including ones to control who can write on your wall and who can comment on notes, photos or other elements of your site.

Settings vary according to what you’re trying to control and, because of the confusing user interface, you might have to hunt around a bit. For example, to change the privacy settings on your own photo albums within the Privacy Settings area you would have to find the fine print under Photos Tagged of You that says “Edit Photo Albums Privacy Settings” or navigate from the Applications tray at the bottom left corner of your browser. That “privacy wizard” they’re working on can’t come a moment too soon.

Another relatively unknown feature is the ability to create multiple friends lists and assign different privileges to people on different lists. For example, if you want only certain people to know your cell phone number you can create a list like “good friends” and another called “colleagues” to make that information available only to people on those lists.

Be especially careful when it comes to third-party applications. For example, I use an application from Eye-Fi that automatically syncs my photos to Facebook and Flickr through my Wi-Fi network. When I review cameras, I often take ugly and stupid test pictures and, if I’m not careful, those pictures can be automatically loaded to my Facebook page for everyone to see. But my most embarrassing moment was about a year ago, when I tried out the New York Times Quiz on a day I hadn’t read the paper, only to have my low score posted for all my Facebook friends to see, including my editor at the New York Times.

Regardless of how you configure your privacy settings, there is a reality of the social Web that can’t be configured away. Any digital information that is posted can be copied, captured, cached, forwarded and reposted by anyone who has access to it. Even if some embarrassing photo or information is up for only a few minutes, there is the possibility that someone might copy it and send it around. And — as many people are painfully aware — friends can become ex-friends. So even if you’re reasonably careful about who you let on your page, you never know what they might do with the information you post.

by Larry Magid
reposted from CNET.com

A long awaited report from the Internet Safety Technical Task Force concludes that children and teens are less vulnerable to sexual predation than many have feared. The report also questions the efficacy and necessity of some commonly prescribed remedies designed to protect young people.

The task force was formed as a result of a joint agreement between MySpace and 49 state attorneys general.

Over the past couple of years, several state AGs have been looking into potential dangers to youth, and some have called for social-network sites to use age verification technology to confirm the ages of users in an attempt to prevent adults from or interacting online with minors. The task force includes representatives of Internet and social-networking companies, security and identity authentication vendors, and nonprofit advocacy organizations. It’s chaired by John Palfrey of Harvard Law School’s Berkman Center for Internet and Society.

Disclosure: I served as a member of the task force, representing ConnectSafely.org, a nonprofit internet safety organization I co-founded along with Anne Collier. ConnectSafely receives financial support from MySpace, Facebook, Google, Yahoo, and other Internet and social-networking companies. I am also founder of SafeKids.com and am on the board of directors of the National Center for Missing and Exploited Children, which is represented on the task force.

Based on data analyzed by its Research Advisory Board, the task force concluded that “actual threats that youth may face appear to be different than the threats most people imagine” and that “the image presented by the media of an older male deceiving and preying on a young child does not paint an accurate picture of the nature of the majority of sexual solicitations and Internet-initiated offline encounters.”

While the task force found that youth risk from predators is a concern, the overwhelming majority of youth are not in danger of being harmed by an adult predator they meet online. To the extent that young people have received an unwanted online sexual solicitation, data from a 2000 study and a 2006 follow-up from the Crimes Against Children Research Center concludes that “youth identify most sexual solicitors as being other adolescents (48 percent in 2000; 43 percent in 2006) or young adults between the ages of 18 and 21 (20 percent; 30 percent), with few (4 percent; 9 percent) coming from older adults, and the remaining being of unknown age.” › Continue reading…

Reposted from San Jose Mercury News
December 8, 2008

by Larry Magid

What Lori Drew allegedly did to Megan Meier was despicable, but it doesn’t justify her conviction late last month for violating federal laws designed to keep hackers from invading computer networks.
Two years ago, Megan, a 13-year-old Missouri girl, hanged herself after her online friend “Josh Evans,” who had befriended her on MySpace, reportedly told her that he didn’t want to be friends with her and that the world would be better off without her. But Josh was in fact Drew, a 49-year-old mother of one of Megan’s former friends.

According to published reports, Megan had been mean to Drew’s daughter and Josh’s fake online relationship with Megan was a way for Drew to retaliate.

During the trial in Los Angeles, it was revealed that some entries made by Josh were typed by Ashley Grills, a then-18-year-old employee of Drew who was a witness for the prosecution and was not prosecuted.

The case has widely been characterized as a legal assault on cyberbullying, though it is extremely unusual for an adult to bully a teen. There is no reason to believe that Drew intended for Megan to kill herself, but the case against Drew is frequently cited as a warning to would-be bullies that their actions could bring severe consequences to both their victims and themselves.

From what I can gather, this is a case of a squabble between two 13-year-old girls and a mother who intervened in a terribly immature and inappropriate way. Adults are supposed to help young people peacefully resolve problems, not exacerbate them. This is not so much a case of cyberbullying as a case of bad parental intervention that had tragic consequences.

We need to fight against rude, deceitful and cruel behavior on and off the Internet. But that doesn’t justify a reinterpretation of anti-hacking laws to jail people who misuse Internet services.
The legal theory behind the prosecutor’s case is that Drew violated MySpace’s terms of service that prohibit misrepresenting your identity and harassing others. MySpace rules, which Drew says she hadn’t read, require that “all information you submit is truthful and accurate.” Clearly Drew lied. But so have a lot of other people.

She was prosecuted under Section 1030 of the U.S. Code, which was crafted to protect against unauthorized access to computer networks to cause damage, steal information or money or jeopardize national security. As far as I can tell, the law was not designed to prevent people from lying about their identity or otherwise violating rules on a publicly available online service. But that didn’t stop the jury from convicting Drew of misdemeanor violations. The jury refused to go along with the prosecution’s felony charges.

Based on this case, I’m one of millions of people who might also be guilty of a federal crime. I didn’t harass anyone, but I did violate MySpace’s terms of service by creating several fake identities with a variety of ages to test privacy features for teenagers while I was researching a book about MySpace in 2006.

And what about police officers who pose as teenagers to lure would-be predators? Should they have to request immunity from federal prosecution each time they engage in such a sting operation? I’ve even heard cases of law enforcement people advising kids to lie on their profiles to protect their privacy. Should they be indicted for conspiracy?

There are plenty of adults who lie online about their age. I have a friend who set up a profile on an online dating service using a false age, an old photograph and the exaggerated claim that he was “athletic.” A date might have cause to be disappointed or angry at him, but should she have the right to demand a federal prosecution?

Even Megan, with her mom’s knowledge, lied about her age. She was 13 and, at the time, MySpace required users to be at least 14. MySpace recently started allowing 13-year-olds to sign up.
The usual penalty for violating terms of service is to be kicked off the service. Had MySpace decided to go after Drew in court, it could have done so as a civil matter. But it’s not up to federal prosecutors to take it upon themselves to enforce a company’s online agreement with its members, especially if that company never asked for federal intervention.

I can understand why a jury wanted to punish Drew for what happened to Megan. But it’s not clear to me that putting Drew in prison on a hacking charge will help prevent cyberbullying or future tragedies.

What is needed is an educational campaign that makes bullying or harassing just as unacceptable as racial epithets or subjecting others to secondhand smoke. Cyberbullying is a real problem but it requires serious long-term solutions, not quick fixes and prosecutorial hijinks.