Potential iPad glitch for families

Blogger Anton Wahlman at TheStreet.com thinks Apple's going to hurt the iPad's family market by not building in multiple user accounts with passwords for each family member (it's not out yet, so we're not completely sure this is the case). He feels the iPad's a lot more like a laptop than a phone, and "you wouldn't let your kids use your laptop under your personal login, with access to your emails, address book, documents, and instant messages," he writes. At CNET, my ConnectSafely co-director writes, "because of its size, price and versatility, the iPad is really a tablet computer and if is going to be used like a computer, it needs to have the same level of security and account control." But I'm not so sure Apple isn't just making it so that parents will want to have their own iPads and buy a family all-purpose one for the coffee table and road trips – IF they can afford them! [Here's my last blog post about the iPad and kids.]

Celebrity news, holidays & malware

Families certainly don't need computer hassles during the holidays, but this highly social time is right when everybody needs to be a little extra alert to social engineering. Here's what social engineering looks like this week, at the convergence of last-minute holiday distractions and the sudden death of a young actor, Brittany Murphy. "As a young star in movies that were highly popular with a younger audience, Brittany may currently be the search engine topic of choice among your own children," writes Trend Micro's Net-safety activist Lynette Owens in her blog. "Regardless of whether or not you knew who she was or how much talent you thought she had, many people are crowding on the internet to find out more about her and what lead to her death." So what happens? "Alongside the stories about Brittany in a Google search, researchers at Trend Micro found links to hoax Web sites purporting to offer information about her death.... If you clicked on these links you would see a pop-up message telling you that your computer has been infected with a virus and you need to scan it immediately." Select "ok," and you get a screen saying your system's being scanned. Once the fake scan is "done," you get another screen prompting you to download free security software. Click "ok" again, and the intruder opens a door in your system that can give the source of this scam control of it.

Another scam this year is offers of "free" versions of the film Avatar. In its security blog, Symantec says "there are literally hundreds of ... scam sites and pages trying to cash in on the hype around this new film. All of these sites are offering full free downloads or streaming videos of this new film.... Some are collecting email addresses, others are trying to get you fill in surveys, IQ tests, and so on that will eventually ask you to enter in your mobile phone number, which will sign you up for some unwanted and subscription-based, premium-rate services," among other potential problems.

Social networkers' computer (in)security habits: Study

A small survey ("250 consumers") found that, while a majority of social networkers are "afflicted by Web-borne security problems," less than a third of them are doing anything about it, its press release said. The sample is small (more on that in a moment), but the results are suggestive of where social networkers run into trouble as far as computer security's concerned. More than a fifth (21%) of social site users "accept contact offerings [friend requests] from members they don't recognize"; 50+% "let acquaintances or roommates access social networks on their machines"; 64% "click on links [which can lead them to malicious sites] offered by community members or contacts"; 26% "share files within social networks." The study, sponsored by security firm AVG and CMO Council, also found that, in spite of that risky behavior, 64% infrequently or never change their passwords, 57% "infrequently or never" use privacy settings, and 90% "infrequently or never" let the site know they've had problems. Even so, nearly 20% "have experienced identity theft"; 47% have been "victims of malware infections"; and 55% have "seen phishing attacks." But besides the small sample and limited detail on the study, there's another important caveat: "To say that users of social-networking sites have been exposed to phishing and malware would be like saying that most people who eat spinach are likely to have had measles when they were children. There is a correlation, but no evidence of causality," ConnectSafely co-director Larry Magid, wrote in his CNET blog. See his blog for some good security advice, and check out ConnectSafely's tips for rock-solid passwords.

Drive-by downloads & kids' media literacy

Current events and computer security increasingly have a lot in common. Put top news stories like the death of Michael Jackson and Web surfing habits into family discussions or dinner-table chat, and it's win-win for everybody. Kids gain a little in media literacy, and family computers avoid infection. "How can that be?" you might ask. More and more Web sites – including those of the best media companies and nonprofit organizations – are getting hacked and "booby-trapped," the San Jose Mercury News reports. "A human isn't required to click on an email link or to agree to install any software. Instead, the sites automatically download software onto visitors' computers" - called "drive-by downloads." Where do big news stories or Michael Jackson come in? Cybercriminals target the sites that get the most traffic. Computer security firm TrendMicro tells us that "this past week, we did see a lot of cybercriminal activity designed to take advantage of the rush to the Web, and search for information and posting of tributes to Michael Jackson. We tend to see this a lot for celebrities and big events (elections, Olympics, you name it). Where the people go, so do the pickpockets." A particularly egregious recent example - specifically targeting kids - happened on the discussion boards for Neopets; FoxNews reports. It's called social engineering: "The ploy is simply using normal human behavior (curiosity + rushing to the Web to popular places for info) against people," TrendMicro adds. Users click around unthinkingly. "It's like driving by an accident - our urge to satisfy our curiosity actually could put us in danger ourselves on the road." Drive-by downloads = valuable new-media-literacy lessons. Mindful surfing, downloading, and uploading can be taught again and again in different ways, with the top news stories as talking points and teachable moments.

Games' popularity: Computer-security tipping point?

Online games and virtual worlds - more than social networking or any technology before it - could be where computer-security ed really hits home with users. Why? Because online games and worlds like World of Warcraft and Second Life have whole economies in which users buy and sell virtual goods "to the tune of $1 billion a year" industry-wide, CNET reports, citing game security experts speaking at the RSA 2009 security conference in San Francisco recently. So it just may be true that money talks. Two examples they gave occurred in Second Life and WoW. In one hack created just to prove it could be done, a security expert figured out how to "filch Second Life users' virtual currency - which is directly convertible to US dollars - [and] ... credit card information and then use it to buy more of the currency to trade in." In WoW, a security expert wrote a bot (software code that automates certain actions and that's "almost universally prohibited" in games and worlds), which "allowed his character to stay safe from attack from the rear, while also luring in loot-bearing enemies to kill. Once killed, the enemies would be regenerated by the bot, allowing Hoglund's character to kill them and pick off all their loot over and over again, a process that netted him significant profit," according to CNET.

Scams aimed at social networkers

It's the digital version of boy-cries-wolf, and it's a shame, because social network sites via computer or cellphone are a great way to broadcast a friend's (or one's own) real call for help. I remember a story a year or so ago about a journalist who was jailed in Egypt, shortly thereafter to be released because his text messages mobilized friends to get the US Embassy involved. I'm sure most social networkers are smart enough to distinguish between real calls for help and what happened the other day to friends of Bryan Rutberg, though they were scammed pretty convincingly. MSNBC tells of how Bryan's profile was hacked so that a bulletin was sent to his friends saying he's been held up at gunpoint overseas and had no money to get home. Responses to test messages sent to the person posing as Bryan were convincing enough that one friend sent money. I would definitely not hurt to sit down with social networkers at your house and go over three solid tips for social-networking malware avoidance from ComputerWorld.

New PC worm infecting millions

The New York Times called it the newest "digital plague." "Known as Conficker or Downadup, it is spread by a recently discovered Microsoft Windows vulnerability, by guessing network passwords and by hand-carried consumer gadgets like USB keys," according to the Times, adding that experts are calling it the worst worm since the Slammer of 2003. Microsoft says there's no single solution to the problem, but it did issue a patch last October. Security experts told the Times that the worm's success was "due in part to lax security practices by both companies and individuals, who frequently do not immediately install updates." Washington Post computer security writer Brian Krebs has details on the worm's origins.

Patch those family 'puters

The latest critical security patch from Microsoft was all about the Explorer Web browser, and this is an important patch for the computers of avid Web users at your house. "That doesn't mean that Firefox and Chrome are exempt from other vulnerabilities, writes my ConnectSafely co-director Larry Magid in Yahoo's "Connected Parent," but if your family uses Explorer, here's the scoop on that: "The latest threat is a flaw in all versions of Internet Explorer that makes it possible for an attacker to take remote control of your PC, capture user names and passwords and log keystrokes," Larry reports. A week after the flaw became known, Microsoft released a fix, InformationWeek reported. It probably updated your PC automatically if you have automated updates turned on. "To be sure, you can manually scan your computer to see if its security fixes are up-to-date by visiting WindowsUpdate.microsoft.com," Larry writes. "For this particular site, you must use Internet Explorer (other browsers such as Google's Chrome and Mozilla Firefox works with the vast majority of sites but not this one)."

'Cyber Monday' alert!

Apparently today is the biggest online shopping day of the year, but everybody needs to be extra alert for spam and phishing scams right through the holidays (not to mention every day). The Monday after the US's Thanksgiving "consumers are expected to spend $821 million this year, up 12% from 2007," USATODAY reports. "But a wobbly economy, combined with a consumer thirst for too-good-to-be-true bargains, has motivated cybercrooks to unleash a torrent of spam, phishing scams and malicious software." USATODAY adds that last year, phishing attacks rose 300% on Thanksgiving, and worse is expected this year. It's an excellent opportunity to teach critical thinking. Help your kids understand that, online too, too good to be true is usually exactly that: not true, not a "deal." USATODAY cites security experts as urging users "to be wary of cut-rate deals from unfamiliar online merchants. They also suggest using multiple passwords when shopping and using the most up-to-date Web browsers and anti-virus software."

Growing no. of teen hackers (or wannabes)

The number of teenagers dabbling in high-tech crime is on the rise. "Computer security professionals say many Net forums are populated by teenagers swapping credit card numbers, phishing kits and hacking tips," the BBC reports. Kids as young as 11 and 12 are being found in these forums using credit card numbers to pay for packaged exploits, computer security experts say, some of whom seem to view searching for videogame cheats as a kind of "gateway" activity (I'd say only for those who've never been told the difference between legal and illegal). In any case, these hacker wannabes' age and low skill level make them relatively easy to catch and arrest, the BBC sources' say, and they need to know that nobody wants to be in the position of trying to get into college with a criminal record! The BBC says some are going for thrills, some for a certain kind of fame or validation (even making videos of their exploits and posting them on YouTube), some for money, and others some combination of all the above.

Watch out for 'clickjacking'!

The problem is, it's hard to detect, and - according to Trend Micro - virtually all Internet users can be victimized by clickjacking. What is it? A computer-security attack that tricks people into clicking on a link that appears only briefly on their screens, such as in a little game (see this illustration on YouTube). Clicking on it could cause your browser to download malicious software or allow malicious hackers "to open the microphone or Webcam on your PC to eavesdrop," CNET reports. TrendMicro says the only good news is that one protective measure is available, but it's kind of a geeky one: install the Firefox browser's NoScript plug-in and enable "Always Forbid iFrames" in its options ("use the latest version of NoScript v1.8.2.1 with the ClearClick technology"). In any case, tell your kids to be really suspicious of offers to play or download little Web games, especially ones they've never heard of before. Here's more from computer-security experts' blog and coverage from NewsFactor.

Facebook plugs security hole

The security issue was people being able to view some members' private photos using the mobile version of Facebook and the Firefox browser, CNET reports. "Basically, someone who knew the serial number of a Facebook user, which is easy to get, and knew a trick for rejiggering the URL, could see private photos of that user," according to CNET. Facebook says it fixed the flaw within hours of being notified. It also plans soon to launch a program to verify the security of third-party applications (those mini applications users download to add games, slideshows, playlists, and other features to their profiles) - an update, apparently, over the statement from a Canadian consumer privacy group in the Toronto Globe & Mail that Facebook wasn't "doing enough to screen third-party developers to ensure they're not phishing for information or trying to commit identity."

Facebook controlling 'wall spam'

Yup, yet another new term for malware on the social Web. "Wall spam" is comments on your Facebook wall purporting to be from a friend but which usually contain a link to some bad Web page that puts malicious code on your PC. The term "rose to notoriety earlier this month, when members started noticing the phenomenon, and security firms started flagging worms that were spreading via Facebook members' walls," CNET reports. Facebook appears to be on top of it (see this from the Washington Post). But tell your kids that, if they have a friend they haven't heard from in a long time and/or who just became a very bad speller, don't click! Better first to contact that friend by IM, phone, email, etc., and ask if s/he posted that comment.

Be sure they're real friends!

Tell your kids not to feel bad if they fall for fake friend requests in a social-networking site. After all, some of the smartest computer-security professionals have fallen for them. What's important is that they know to be alert. Accepting new friends indiscriminately is really becoming bad news, SecurityManagement.com reports. The article says two top network security executives conducted an experiment, creating "fake profiles of prominent computer security professionals" on several social-network sites, and then sending out "plenty of friend requests to other security experts. They were so astounded by the results they presented to the Black Hat hacking conference" in Las Vegas this week. "Each time they lured in more than 50 new friends within 24 hours. Some of those people were chief security officers for major corporations and defense industry workers."

Heads up: New worms in MySpace, Facebook

Any social networkers at your house should be aware of the "Koobface" worms, which can turn household computers into remotely controlled "zombies." Computer security firm Kaspersky Lab reports that the worms work this way: A MySpace or Facebook user gets a message or comment from a friend whose computer has already been infected. The messages contain text such as "Paris Hilton Tosses Dwarf On The Street"; "Examiners Caught Downloading Grades From The Internet"; "Hello"; "You must see it!!! LOL. My friend catched you on hidden cam"; and "Is it really celebrity? Funny Moments and many others." Inside the messages or comments is a link YouTube (with a ".pl" extension), supposedly to a video clip. "If the user tries to watch it, a message appears saying the user needs the latest version of Flash Player in order to watch the clip. However, instead of the latest version of Flash Player, a file called codesetup.exe is downloaded to the victim’s machine; this file is also a network worm" that probably not only sends the same message to everyone on your child's friends list but is capable of turning that computer into a "bot" that becomes part of a "botnet" that malicious hackers use to commit crimes such as denial-of-service attacks.

Supreme Court justice's P2P security breach

No, Justice Breyer wasn't using a file-sharing network himself. But a guy at his investment firm was on LimeWire and inadvertently shared "the names, dates of birth and Social Security numbers of about 2,000 of the firm's clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer," the Washington Post reports. This isn't just about file-sharing in the workplace. It's about how private family records and information can be made public on P2P networks if file-sharers and music fans at home aren't configuring the software correctly. It's only one key topic for family discussion about file-sharing, others being the ethics of file-sharing and the potential for parents being sued by the RIAA for pirated music shared on family computers (at least go into the software with your kid and see how Preferences, Options, or Sharing is set up).

Data insecurity on the rise

Here's one reason why verification of online children's ages or identities is a slightly scary concept: data breaches are up. What does this have to do with online kids? If age verification is required of Web sites, children's personal information would have to be stored in a database somewhere, so that Web sites' "bouncers," or ID-checking technology, will have a collection of information against which it can check the info kids provide. The problem is, "businesses, governments and universities reported a record number of data breaches in the first half of this year, a 69% increase over the same period in 2007," Washington Post security writer Brian Krebs reports, citing research from the San Diego-based Identity Theft Resource Center. Interestingly, hacking was "the least-cited cause of data breaches in the first six months of 2008.... Instead, lost or stolen laptops and other digital storage media remain the most frequently cited cause of data breaches. See also "UK data security breach & kids." And I seem to be seeing more news of data breaches all the time, the latest for Google employees - see CNET.

Computer security sea change & youth

You know that old argument about Mac vs. PC security? Well, it really is an old argument now. Computer security really isn't about what operating system your computer has anymore. Now it's really about 1) what browser you use and where you go online, and 2) how smart you are (or your child is) about protecting passwords and financial information online (social engineering), CNET reports. "Lots of people who may already be nervous around computers often just do whatever the computer [or email or Web site] tells them to do," CNET says. That's called social engineering. But children, who are most definitely not nervous around computers, can be gullible too when they get messages like "check out this video" or "click here to find out how to start your modeling career." For adults, it's also tempting to click somewhere to "update their bank account information." There are also event-oriented and seasonal scams, e.g., the Olympics and filing tax returns. "The problem for the security industry is that even if Microsoft, Mozilla, Apple, and Opera all make the most secure browser ever, it still won't prevent things like phishing scams [such as the above]. Along with skepticism about advertising, gossip, and flattery in emails, IMs, and social sites, children need to be alerted to casual messages like the above that may really seem like they're from friends or acquaintances. Knowing how social engineering works can go a long way toward protecting both children and computers (both of which contain large amounts of confidential information!).

Common social-networking hack

We get a lot of questions in the ConnectSafely forum about people finding their profiles compromised in various ways. One way this can be done concerns social networkers' passwords - if they've either given their passwords to friends or their passwords have been stolen. A researcher colleague of mine in Portugal, Daniel Cardoso, sent me a heads-up about the latter. Here, a post in EthicalHacker.com explains that there is free downloadable software on the Net that allows malicious hackers to steal users' passwords. Cain & Abel is "a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols." In Slashdot, which Daniel linked me to, a young security expert posted: "If I were to run this attack on the computers at my high school, I could cripple a lot of kids' social lives (and get expelled when the admins see :) I see SO many of my classmates using proxies to get on MySpace at school (even though it's against school rules, which I don't blame after seeing some of my classmates' MySpace pages). They just don't understand how easily I could get their password (or whoever's, running the proxy, or even the admins). And it's worse when you wonder how many kids use the same user name and password for everything. Kids these days [note that he's talking about his peers] are just not educated enough on good security practices, or show a lack of common sense with this stuff." Parents, make sure your kids practice good computer security - choose hard-to-guess passwords, don't share them with friends, change them fairly often, and choose different ones for different sites and services. IT News in Australia reports that "criminal hackers now view social networking sites as their best target for attacks." It goes on to describe another vulnerability besides passwords, and IT Pro in the UK reports on a Facebook vulnerability involving users' private photos.

Habbo Hotel invader

This alert for Habbo Hotel's young users is actually a heads-up for everyone on the social Web. Users need to be alert about the "tools" they download to enhance their pages. Bloggernews.net mentions an alert from WebSense computer security firm specifically about "Trojan" keylogger software buried in one of those tools for Habbo users and links to a screenshot of the message. The keylogger software gathers Habbo account users' log-in info in order break in and steal the "Coins" stored in those accounts. Habbo Coins are worth real money (see this page at Habbo.com).