Where do you start when trying to protect them in cyberspace? Well, you are certainly not alone in asking these questions, so this week and next week I will blog about laying some very important foundations for your family on your quest to protect your kids from these unwanted cyberthreats.

So where do you start?…. Let’s start at the beginning!

Tip 1: Consider where you place your home computer

Position the computer in your main living space and make sure the monitor faces outward into the room so there is no secrecy. Be suspicious if your child quickly changes the screen when you pass by, or is hiding files or disks – someone may have sent them inappropriate or questionable content!

Tip 2: Work together with your kids to set boundaries

Discuss with your child exactly what is OK and what is NOT OK regarding what kind of web sites are appropriate for them, which chat rooms to visit, and what kinds of things they can talk about when online. Only let your kids use monitored chat rooms.

Get to know your child’s online friends as you do their school and neighbourhood friends. Learn to surf the web and chat online with your child so you understand what it is that your child is doing – you might just learn a thing or two!

Tip 3: Stress to your child that they need to tell you if they receive any odd or upsetting messages when online, and that you will not be angry with them or ban the internet as a result.

Make it clear that you understand that they cannot control what other people say to them and that they are not to blame if this happens. It’s so important that they feel they can come to you and talk about their online experiences, good and bad.

Tip 4: Set time limits for internet use and enforce them

Don’t allow your kids to be left alone in cyberspace for long periods of time – this is when they are most vulnerable. Ban late-night use. Parental control software such as McAfee’s Family Protection software enables you to enforce the time limits your family has agreed upon.

Tip 5: Make it clear to your child that people in chat rooms are always strangers, no matter how often they chat with them, and no matter how well they think they know them. They should be told that people can lie about who they are, and their new friend may be a 40 year old grown up instead of a 13 year old girl!

Open, honest and frequent talks with your kids about their online experiences, good and bad is so important when it comes to protecting your kids from online threats. And while some of these tips might sound blaringly obvious, I wonder how many or how often we apply them?

Mums (and dads) live busy lives working, studying, grocery shopping, helping with kid’s projects, completing house hold chores… the list goes on, but are we that busy that we can’t take a few minutes to ensure our kids are out of harms way when they’re at play on your home computer? Today sounds like a good day to start. But you can always send me a question or idea anytime.

Moira
Email me at: cybermum@mcafee.com
Follow me on Twitter: Cybermum_Oz

There are lots of free anti-virus options out there, and consumers have voted with their wallets. Free is great for some who don’t mind piecing together various products that attempt to provide comprehensive protection like McAfee’s suites do. The majority of consumers are willing to pay for products that help keep them fully protected.

McAfee has developed security products that rate at the top in effectiveness for malware detection and have a complete feature set which protect consumers against today’s threats. We incorporate a multilayered approach to security to protect consumers against viruses, spyware, spam, phishing attacks, ID theft and provide safe searching and surfing capabilities.

Last fall, we added a cloud-based security called McAfee Active Protection. It offers consumers instant protection against new threats, even before a virus definition file has been created while Microsoft’s protection is outmoded, incomplete and ultimately inferior.

Meanwhile, Microsoft Security Essentials provides a basic feature set of antivirus and antispyware, which, while important, protect consumers from only some of the threats facing them today. Interestingly to note as well, consumers require a legal version of the Microsoft operation system, raising the question if Microsoft Security Essentials is an anti-piracy tool instead of a security product.

If you want a two-way firewall, you’d need to either change the settings of the Windows firewall or buy a firewall only product. And if you’re concerned at all about the spam you receive, you’d probably want a product that protected you from that annoyance. What about rootkit or phishing protection? Website safety ratings? Again, not in Microsoft Security Essentials.

The truth is that the reason the software security industry exists today and is a multi-billion industry is because of the flawed code within Microsoft’s Windows and browser; does Microsoft really have the credibility to solve security problems or protect its customers?

If you’re a numbers person, a recent AV-Comparatives report ranked McAfee with a 98.7% malware detection rating. The Microsoft product they tested (not the production released version of Security Essentials but the best one that they had when they tested last month) rated at 90% detection. That’s a big difference if you count on only your antivirus to keep you protected. If a product can’t detect the malware, it can’t keep you protected.

So, if free is your budget and you don’t mind it protecting some of your most valuable personal information, then Microsoft Security Essentials may work for you. However, there’s always a cost to free, and with McAfee’s years of experience solely focusing on solving security problems for consumers, then a product such as McAfee Internet Security is a much better choice!

“What do they have in common? They all hosted an account of a pro-Georgian blogger who went under the nickname ‘Cyxymu’,” Dmitri Alperovitch, vice president of threat intelligence at McAfee Avert Labs, wrote in a blog published early Friday morning.

All the Web sites involved suffered a distributed denial-of-service (DDoS) attack on Thursday. Reportedly, the DDoS attacks were specifically on the pages hosted for Cyxymu, who had just a few days ago blogged about the upcoming one year anniversary of the war between Georgia and Russia. (The nickname is taken after Sukhumi, the capital of Abkhazia, one of Georgia’s pro-Russian breakaway republics.)

In addition to the web-based DDoS attacks, McAfee’s TrustedSource reputation system had also detected a spam campaign that referenced the targeted blogs, Alperovitch wrote.

“We believe this campaign had a dual-purpose,” Alperovitch wrote. One purpose was to attack the social networking Web sites, the other to flood Cyxymu’s inbox hosted by Google’s Gmail service with e-mail messages. “This was likely part of an intimidation campaign,” Alperovitch wrote.

New cyberattacks piggyback on DDoS news

McAfee Avert Labs has already seen the first example of cybercrooks piggybacking on the news of the denial of service attacks to launch other scams. The second result for a Google search on “Sukhumi DDoS” earlier Friday was a link to a Web site that offered to add Cyxymu as a friend on a social networking service. Instead the link was a lure redirecting to a Web site promoting a fake anti-virus product.

Twitter, the rising star among social networking Web sites, was downed on Thursday morning (Pacific Time) due to an apparent distributed denial of service attack. At the same time, Facebook also came under attack.

“On this otherwise happy Thursday morning, Twitter is the target of a denial of service attack,” Biz Stone, Twitter’s co-founder, wrote in a posting on Twitter’s blog Thursday morning. Facebook told Wired.com that it “encountered network issues related to an apparent distributed denial-of-service attack.” Facebook didn’t go down, but said the attack “resulted in degraded service for some users.”

So what is a distributed denial of service attack and why would somebody attack Twitter or Facebook?

In a distributed denial-of-service, or DDoS, attack, the target is overloaded with requests for information. The requests come from a large number of sources, typically compromised computers in a botnet run by cybercrooks. As a result, legitimate users can no longer access the site. Web site operators can defend against DDoS attacks by monitoring the traffic to their sites and filtering out malicious traffic using a firewall or other network security tool.

Distributed denial of service attacks happen for a variety of reasons. In this case it could simply be for the notoriety of taking down a high profile Web site like Twitter.com or Facebook, but it may also be for more nefarious reasons such as political motivations or to extort money. Hacktivism and extortion schemes are common online, the equivalent of disruptive protests in the streets and ‘protection money’ in the brick and mortar world.

Your PC may be used to attack Facebook and Twitter

The average computer user can’t do anything if a Web site is down due to an attack. However, users can prevent their computer from becoming part of the attacking force.

The compromised computers used to assault Web sites in a DDoS attack are typically unproteced PCs of unknowing computer users that have been commandeered by cybercriminals and networked into a botnet. To prevent this from happening, computer users should practice good PC hygiene by making sure the operating system and applications are up to date on patches and running current security software, such as the products sold by McAfee.  

To learn if you’re part of a botnet or became the victim of another cybercrime, you can scan your computer at no cost to you and get help from experts at the McAfee Cybercrime Response Unit.

DDoS History

While still common, most DDoS attacks today aren’t as high profile as they were nearly 10 years ago. Back in 2000 e-commerce giants eBay, Amazon.com and Buy.com, along with Yahoo, news site CNN.com, online trading sites E*Trade and Datek, and technology information provider ZDNet reported similar attacks. The sites were down, sometimes for days, and the FBI held press conferences about the spate of attacks.

McAfee is investigating the Twitter and Facebook attacks, our researchers are plowing through data to find out more about the make up of this particular attack.

TechCrunch on Tuesday reported that it had received a ZIP file containing about 310 documents including “executive meeting notes, partner agreements and financial projections to the meal preferences, calendars and phone logs of various Twitter employees.”

Twitter is obviously a very attractive target to hackers because it is a high profile social networking Web site. That means that Twitter and the people who work there need to be extra diligent when it comes to security. Twitter CEO Evan Willams has acknowledged that himself as well in an e-mail to TechCrunch.

The attacker, using the pseudonym “Hacker Croll” claims to have gained access to the confidential Twitter information by taking advantage of password reminder features on online services such as Web-based e-mail. This once again exposes the weakness in such services. If they are not designed and used correctly, password reminder services can be a weak link in security.

When setting reminders, users should vary the questions and responses they use and only pick questions to which the answer can not easily be guessed or found online. In today’s world of social networking Web sites there is a lot more personal information online about each individual than before, so pick a question to which the answer is not on your MySpace, Facebook or Twitter feed.

McAfee has seen a significant increase in online attacks that take advantage of social networking services recently. In the past worms and viruses spread using vulnerabilities in Windows and the Outlook Express e-mail client, today worms crawl over sites such as MySpace, Facebook and Twitter. It is important that users of these social networking sites understand that they can’t trust every link that appears on their profile page or feed, just you can’t trust all attachments and spam messages that arrive in e-mail.

IDC expects 26.4M units of netbooks to be shipped globally in 2009, and most of the industry analysts have generally forecast strong growth for the next few years on the horizon. However, a new survey by NPD suggests that a large number of consumers who buy netbooks may be dissatisfied with their purchase. According to the survey results, 60 percent of consumers who purchase netbooks expect them to have similar functionality and performance as notebooks. The data clearly suggests that consumers’ expectations have not quite been sufficiently managed or met by the netbook vendors so far. Assuming that the results of this survey really reflect the true sentiments of netbook consumers, this data should be a major wake-up call for the netbook manufacturers and retailers.

At the end of the day, netbooks are meant to be lower-cost computing devices with scaled down features and specifications. Therefore, consumers who purchase netbooks and are expecting performance and functionality similar to notebooks are bound to be disappointed. In light of this, we could find an ever-increasing emphasis from vendors to position netbooks as companion devices (second or third PC) which cater to mobility and portability needs, rather than as replacements for traditional notebooks and desktops. Positioning and marketing netbooks in this fashion will go a long way in ensuring that consumers know what they are buying and are eventually more satisfied with their purchases.

This data from NPD also has great relevance for McAfee. A part of consumers’ satisfaction also has to do with expectations that the applications on their netbooks will run as fast as they would on a traditional PC. Therefore, software vendors such as McAfee also have a very pivotal role to play. From a security perspective, netbooks running on a Windows OS need the same level of protection as regular notebooks running on Windows. However, the challenge is to deliver the same level of protection on these netbooks without any significant performance impact. Leveraging technologies such as McAfee’s Artemis can certainly help. However, McAfee is taking a holistic look at this, and is exploring several other avenues that will enable McAfee to lead in the security software market for netbooks. Meeting and exceeding consumer expectations in the netbooks market space is certainly going to be a challenge, but as always, McAfee is up for it.

Quickly brought back into reality, McAfee Avert Labs colleague Guilherme Venere posted a very timely warning that it won’t be long before cybercriminals will take advantage of the news to attempt to scam people into installing malicious software or give up personal information.

With the death of Jackson and also Farrah Fawcett being top of mind for a lot of people and many wanting to find out more details, this news cycle unfortunately makes a great hook for cybercrooks.

“Every time a disaster happens or news about some celebrity reaches the media, malware writers try to take advantage of it,” Venere writes. “The most common attack vector is email. Watch out for spam offering links to “news” or “pictures” of deceased celebrities. Most of the time, they will take you to Web sites offering advertisements for pharmacy products such as Viagra and Cialis or, even worse, will try to install malware on your machine!”

Scammers have also become adept at search engine optimization, or SEO. So when you’re looking for news using Google or Yahoo look for trustworthy sites in the search results.  Cybercrooks know how to trick search engines into serving up their malicious sites among the search results.  These malicious sites maybe rigged to install spyware or other nefarious programs on your machine. (McAfee’s SiteAdvisor rates search results and protect against such attacks.)

In general, everyone should run up-to-date security software on their PCs in addition to the latest security patches and a firewall to be protected against attacks.

Leading the consumer security product line on Windows, I am committed to ensuring that when users either upgrade to Windows 7 or the new install Windows 7, they and their family are protected. To that effect, we launched our beta for Windows 7 beta early February this year. If you have Windows 7 installed, I would urge you to go download and play with our product. There is nothing more valuable than getting feedback directly from our customers. You can download our beta at:

http://beta.mcafee.com/.

You will be required to create an account if you haven’t already done so. The login will give you limitless access to our beta product, documentation and FAQ. You can also post your feedback and we do take your feedback seriously, so let us know about your experience.

For all you users who already have a McAfee security product installed on your PC and your family’s, when we launch our Windows 7 compatible release, your product will automatically get updated to the latest and greatest. For this to happen smoothly, ensure your subscription is active and up to date and automatic update is enabled.

If you have any further questions or concerns, please let me know.

Madhurima

Dear Rusty,
My name is ********* a legal practitioner with ****** & Associates in Kuala Lumpur,Malaysia.

Recognizing the 4-1-9 or “Advance Fee Fraud” scam, I decided to give it a read before I hit the big red delete button, and see what wealthy person died and how the executor of the estate need my help to move the enormous amount of money out of the country. The email continued to explain that the $7,530,000 might become unserviceable and for a 30% cut, I would just need to participate, yada yada yada…

Being in product management, my first thought was – “I wonder what made them decide on the $7,530,000 figure, do they get a better response rate than if they put $7,499,000? What market research or metrics do they track to set the most attractive price to the one they are scamming?” I chuckled, and continued to read, finding that they even added a polite apology to the end of the email:

“However,if this business proposition offends your moral ethics,do accept my sincere apology.”

“How polite” indeed…:-)

All joking aside though, this type of email scam and the sense of confidence that spotting them instills in us has the potential to lure us into a false sense of security… we all chuckle or grimace with irritation when we see the subject line of these emails as we quickly hit the delete key, knowing we are smarter than them, and they can’t fool us. The question however, is when will the scams be good enough to fool us? Would it really be that hard? Should we be so confident in our ability to quickly spot a scam? Have we already been scammed?

After all… The scam email I received had a ton of telltale signs which my recognition of shouldn’t give me too much hubris:

• “Attn: Rusty” – really, how many legitimate emails have a subject line like that?
• And then there’s spelling and grammar: “I found your contact/profile some where over the Internet and it gave me the greatest joy,that you are the one I have been looking for.Whom I strongly believe could execute this transaction with me..” Easy catch right?
• And then there’s the setup itself… the wealthy guy in Africa or Asia and the executor that’s been looking for YOU to help… That’s not to say that that’s the only 419 scam out there, there are a variety, and Wikipedia has a fairly good listing to familiarize yourself with here: http://en.wikipedia.org/wiki/Advance-fee_fraud

These scam emails are now easy for almost everyone to identify, but it is only a matter of time before these email scams get good enough to fool you – more carefully crafted, a more compelling setup, and more advanced overall. The 4-1-9 scam will probably still find unsuspecting victims, but by and large, the next generation threat has the potential to be crafty enough to fool even the internet savvy, and maybe even you and me.

The advancements in information management over the past 5 years, and the explosion of UGC and social networking creates a treasure trove of information and provides the bad guys these new opportunities in their quest to scam you. Another reason why it pays to be cautious with what information you share about yourself on the internet.

Imagine the following:

The Setup:
A scammer who knows a lot about you (because maybe you are “friends” on one of the popular social networking sites… maybe you’re part of a group they created to lure people in, or a celebrity they are impersonating…? Are you a “fan” of anything you don’t know the owner of for sure?)… once they are your friend, they know your friends, they see your status updates, your interests… a LOT of information about you. (see more information about Facebook friend risks in Richard Medugno’s blog postings).

The Con:
You get an email from one of your friends (a forged email, a very easy task for a scammer), asking you to sponsor their efforts in an upcoming walk for a cause.

The Phish:
You follow the email link they sent to sponsor them, view information about the event (fake event site), then enter your bank information, and donate $50 because you too care about the cause.

The Catch:
In actuality, you entered a ton of personal and financial information in a form that goes straight to the scammer. Now they have your legal name, address, bank information, and anything else you entered on the form.

The Price:
You are now a victim of identity theft. Depending on how the scammer uses your information, and how long it takes you to find out, they may have changed your address, ran your credit, applied for a equity loan on your home, gotten 20 new credit cards, emptied your bank account… the list goes on.

Pretty scary right? Not quite as obvious as the millionaire wanting to give you a bunch of money, but it is something anyone could all fall for if they’re not vigilant.

Unfortunately, there is no single answer to avoiding being scammed in the 21st century, but you can do a few simple things to create a layered defense to reduce your risk and make you less of a target then the next person:

• Be careful what information you share online, especially personally identifiable details. Social networks are great, but remember that there may be others listening to the things you are saying.
• Don’t collect friends you don’t know on social networks. Only “friend” a real friend.
• Use tools to help protect you from the scams and phishing – McAfee SiteAdvisor is a free browser plug-in, and provides protection against scams, spam, phishing, and lots of other malicious things on the Web.
• Most of all: Pay attention – to the people you interact with online, the sites you visit (SiteAdvisor helps alert you to fake sites like the “cause” one above), and to where and when you give financial details online. Don’t let emotion or some other compelling pitch blind you from putting safety first.

As the swine flu outbreak reaches near pandemic levels, cybercriminals continue to use the flu scare as bait to scam Internet users.

About five percent of global spam volume now mentions “swine flu” to trick people into opening the e-mail message. That could amount to billions of messages each day. McAfee Avert Labs has seen between 80 billion and 100 billion spam messages each day over the last month. Note: there was no spam at all that mentioned swine flu before the weekend.

The swine spam is being sent from all over the world, which isn’t a surprise since the messages are sent from compromised computers networked in a criminal botnet. Still, about half of all the swine flu spam seen to date originated in Brazil, the United States and Germany. There’s a chart that shows the breakdown on the McAfee Avert Labs blog.

McAfee has also seen sites with the words “swine” and “flu” pushing malicious code. In one case a Russian-based site instructs the visitor to install a “video codec” to view a movie. This isn’t a real codec to allow viewing; instead it is malicious software that puts the victim’s computer at the beck and call of the attacker.

Additionally, McAfee Avert Labs has seen an increase in the registration of domain names that mention swine flu, which could indicate a rise in malicious sites that take advantage of the scare.

Should you need information on the flu situation, go to the World Health Organization, CDC or any other reputable source, do not follow links that arrive in spam, instant messages or on social networking Web sites. If you think your PC might be infected or that you may have been the victim of a cybercrime, visit McAfee’s free Cybercrime Response Unit.

For your reference, subject lines for the swine flu messages include:
Salma Hayek caught swine flu!
Madonna caught swine flu!
First US swine flu victims!
US swine flu statistics
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA