Social-networking sites like Facebook and Twitter can expect more attention from cybercriminals in 2010, according to a new report (PDF) released Tuesday by McAfee Labs. Also at risk are users of Adobe Systems products including Acrobat Reader and Flash. And move over Microsoft; the security firm predicts that Google’s Chrome OS will “create another opportunity for malware writers to prey on users.”

The company also anticipates smarter and more dangerous Trojans that “follow the money,” as well as a “significant trend toward a more distributed and resilient botnet infrastructure that relies much more on peer-to-peer technologies.”

In a recorded interview (scroll down for audio) David Marcus, McAfee Labs’ director of security research and communications, said that he expects “an explosion of Facebook and other services targeted by cybercriminals.” In addition to malware like Koobface that spreads among Facebook users’ friends list, Marcus expects an increase in rogue Facebook applications.

“When you click yes to ‘do you want to allow this application to access your Facebook account,’ you’re giving that application access to all the data in your Facebook account,” he said. Facebook vets the third-party applications that it distributes, but rouge developers are finding other ways to get people to install unauthorized apps.

“A lot of the spammers and scammers will send fake Facebook application requests to users’ inboxes,” he said. Marcus recommends that you only install apps from within Facebook by clicking “browse more applications” in the Facebook application installer.”

Twitter vulnerabilities
According to McAfee, Twitter is vulnerable mostly because of URL-shortening services like bit.ly and tinyurl.com. There’s nothing wrong with Twitter or these services, but when you click on a shortened URL you have no idea where you’re going until after you get there. I would like to see a URL-shortening service that vets each URL for security and rejects those that are potentially dangerous. Twitter, according to the McAfee report is “also serving as a control vehicle for botnets.”

Criminals are now being more surgical in their attacks, singling out individuals and corporations as targets. The report points to the 10-month investigation of “GhostNet,” which McAfee Labs describes as a “network of at least 1,295 compromised computers in 103 countries” that “primarily belonged to government, aid groups, and activists.” The malicious code was delivered by e-mail with subject headings related to the Dali Lama and Tibet, according to the report.

The report also sites “a very targeted wave of attacks against the management of major companies,” as well as attacks carried out against “journalists from various media organizations, including Agence France Press, Dow Jose and Reuters based in China.”

Adobe products and Google Chrome vulnerable
Adobe products, especially its Acrobat Reader and Flash, are likely to replace Microsoft Office as the No. 1 software target, according to McAfee. It’s nothing they’ve (Adobe) done wrong,” Marcus said. “The bad guys go where the masses go” and because of the increasingly widespread use of Adobe products, “that tends to be what the bad buys will start looking to exploit. It really is nothing more sophisticated than that.”

Criminals are infecting PDF files and leveraging exploits in the opening of PDF documents, according to Marcus.

“Instead of viewing a PDF you’re actually taken to a website that downloads some type of malware to your machine.” Adobe plans to patch a critical hole in Reader and Acrobat on January 12.

There is also concern about Google’s Chrome operating system, which is expected to be officially released in 2010. Chrome, which will run Web-based applications, is likely to be vulnerable to attacks in HTML 5–the newest version of the hyper-text markup language that, says the report, “holds all the promises that today’s Web community seeks–primarily blurring and removing the lines between a Web application and a desktop application.”

McAfee also warned of banking Trojans with “new tactics that went well beyond the rather simple keylogging-with-screenshots” that were used earlier. Trojans now use rootkit techniques to hide on a victim’s system to disable antivirus software.

“Often the victim’s computer becomes part of a botnet and receives malware configuration updates,” the report said.

For more on the threats on Facebook and Twitter read “Using Facebook and Twitter safely” on CNET.

Cause for optimism
The report did end with some optimism, calling 2009 a good year for law enforcement. In November 2009, the U.S. Department of Justice indicted nine individuals “from Russia, Moldova, and Estonia who were allegedly responsible for $9 million in customer payroll data compromises at RBS WorldPay.”

The year also “saw the conviction of the infamous “Godfather of Spam,” Alan Ralsky of Michigan, and his criminal syndicate, which was responsible for generating a significant portion of the world’s unsolicited e-mail,” McAfee said.

“You started to see that not a lot of resiliency was built into some of those botnets, they were taken down, and poof they disappeared for very long periods of time,” Marcus said. He said he thinks “the bad guys will learn from that and build in some redundancy,” but he remains optimistic. “The good guys and regular users are getting tired of getting exploited and we’re finally starting to see more offensive and aggressive take downs of botnets…we’re starting to see people wanting to take back the Internet.”

by Larry Magid

Of course you’re not personally responsible for bringing down Twitter, but if your computer isn’t equipped with up-to-date anti-malware software and the latest version of your operating system, you could unwittingly be part of the problem.

Twitter has confirmed that its outage Thursday morning and subsequent intermittent problems were due to an ongoing denial-of-service attack. Facebook also “encountered network issues related to an apparent distributed denial-of-service attack, that resulted in degraded service for some users,” according to a company spokesperson.

Typically a DoS attack, which is often called a distributed denial-of-service attack, results when multiple computers simultaneously try to access the site in question. Usually the reason that happens is because the attacking PCs are infected with malware that does the dirty work for whoever is behind the attack.

As Symantec blogger Marian Merritt pointed out, “It’s often the case that DDoS attacks come from computers infected with bots, turning them into zombie computers doing their cybercriminal’s bidding. ”

You can help prevent your PC from being part of such an insidious scheme by:

* Using a good anti-malware suite from a reputable vendor such as Symantec, TrendMicro, McAfee, ZoneAlarm, or CA. You can find trial versions of such programs as well as the excellent AVG-Anti Virus Free Edition at CNET’s Download.com

* Making sure your operating system has the latest patches. Visit Microsoft and Apple security pages for information.

* Avoid clicking on e-mail links that take you to Web sites you’re not familiar with (malware is often distributed through “drive-by downloads” from unreputable or infected sites).

Visit CNET’s security center for more security news.

Like millions of other people, I’m on Twitter. I’m not glued to it all day, but I try to check in at least once or twice daily to catch up on what others are saying and tell anyone who cares to “follow” me to find out what’s on my mind at the moment.

Unlike some, I don’t use it to signal my every move. But my tweets — Twitter’s term for messages — have ranged in significance from my thoughts on a major issue of the day to “going to bed now,” all in 140 characters or less as dictated by Twitter’s technology.

I also use Twitter to update my followers on my latest articles and blog posts. Indeed, a link to this article will find its way to anyone who happens to follow me at twitter.com/larrymagid.

As a Twitter user I’m in good company. Nielsen Online reported last week that “unique visitors to Twitter increased 1,382 percent year over year, from about 475,000 unique visitors in February 2008 to about 7 million in February 2009, making it the fastest-growing site in the member communities category for the month.”

The survey also found that the largest age group of people on Twitter is 35 to 49 and that “the majority of people visit Twitter.com. while at work.” In a recession, it’s fair to wonder if Twitter is costing employers billions of dollars in lost productivity.

But despite the fact I’ve been “tweeting” for several months and consider myself relatively hip to the tech scene and culture, I have admit there is something about Twitter that I don’t fully “get.”

I thought (and blogged attinyurl.com/dz48c3.) about Twitter last week when I read a transcript of a “twiitterview” between George Stephanopoulos of ABC News and Sen. John McCain. In a session which reportedly lasted about 20 minutes, Stephanopoulos asked McCain a series of questions — all in 140 characters or less — which McCain answered with equal brevity.

While it was in some ways refreshing to see a reporter and politician be so succinct, it was also unsatisfying and a bit scary to see an interview about important subjects like Iraq, Iran, terrorism and the economy reduced to tiny tweets that make TV sound bites seem like in-depth journalism.

When it comes to Twitter, I find myself more quizzical than cynical. Clearly it has appeal to millions of people and it must appeal to me. I find myself drawn to it not only to avoid missing news from those I follow but also to be sure I remain relevant in this ever-changing media environment.

I haven’t seen any compelling evidence that eschewing Twitter would have any negative impact on my journalism career. But I feel that I have to be there even though the number of people who follow me on Twitter is dwarfed by the numbers who have access to my columns and broadcasts.

When it comes to influence, it’s not just about numbers. It’s also about being an early adopter. Early last century, some newspaper people ignored radio at their peril, and there were radio personalities whose careers languished because they weren’t quick enough to add TV to their repertoire. And virtually every media company — for years — has been scrambling to build a Web audience even though few have yet been able to turn a profit from it.

That said, I’m still not convinced that Twitter adds value over other media. Radio added sound to news reporting, TV added pictures to radio and the Web added timeliness, frequency and depth to all of the above. But when it comes to the depth of the messages it can deliver, Twitter doesn’t add anything other than the ability for people to grab messages quickly and respond in kind. But it’s not as if everyone who responds to a New York Times tweet is reaching all New York Times readers or even Twitter followers. When you tweet, you only reach the people who have elected to follow you and, for most people, that’s a pretty small number.

Maybe the reason I don’t “get” Twitter is that I’m thinking about it as a medium rather than a means for people who know each other to chat among themselves. Of course, that doesn’t explain why Stephanopoulos and McCain and plenty of other people in the media and politics find Twitter to be worth their time.

Have a thought on this? Why not send it to me, naturally, via Twitter at @larrymagid. I may be quizzical but I’m covering my bets.

ABC’s George Stephanopoulos is an excellent reporter and Senator John McCain has given some great interviews. But while yesterday’s “twitterview” may have been a watershed moment for Twitter, it was far from a high point for either journalism or politics. 

After reading a transcript of the interview, I have to question whether the 140 character format makes any sense as an interview technique, especially when dealing with life and death questions such as “What worries you more: Pakistan or Iran?” to which Senator McCain responded, “Both. The challenges are different but both significant.”

Senator John McCain

(Credit: mccain.senate.gov)

Call me old-fashioned, but I prefer a little more depth in my interviews. While brevity has its place, I found both the questions and the answers to be artificially short thanks to the limit of 140 characters per “tweet.”

In an age where we get much of our political information from sound bites and commercials, I appreciate the tradition of a well-seasoned journalist sitting down with a politician to ask in-depth questions, get candid responses and be able to ask equally in-depth follow-up questions. In most cases, in person or at least telephone interviews are a better way to do that than short bursts of typing.

Having said that, I do like the fact that Stephanopoulos used Twitter prior to the interview to get his followers to submit questions for the Senator and I would like to see more online forums where politicians answer questions not just from journalists but from citizens as well. But asking the likes of Stephanopoulos and McCain to reduce their dialog to 140 characters per question is, in my opinion, an interesting experiment but a bad precedent. Twitter is fine for casual conversation and occasional punditry, but when it comes to the affairs of our nation, we need to hear a lot more than 140 characters from our leaders and our leading journalists.