With tweets on Twitter limited to only 140 characters, many Twitterers economize by shrinking lengthy URLs for embedded links, with help from Web sites that specialize in such shrinkage. Now, at least one such site has been hacked.

URL-shortening site Cligs last month sent more than 2 million Web addresses to an entirely different destination. Phishers are also taking advantage of the trust users have in TinyURL Web addresses by using them to mask malicious destinations.

But easy solutions are available, PC Magazine points out. You can easily decode those cryptic URLs by pasting them into—what else—a URL lengthener. One such tool: Untiny. Just cut and paste the shortened URL into the box, and you’ll get the original address. Make sure it’s legit, click, and you’re good to go.

In other Twitter news, the site announced it was suspending accounts infected with a form of the Koobface virus. The suspended sites were sending out “bogus tweets” when the user logged in. The tweets included TinyURLs that sent users to Koobface malware sites. —Donna Tapellini

A warning to all you job hunters out there: The Better Business Bureau reports a spike in the work at home, get-rich-quick schemes being offered through the social-networking site Twitter.

The scams are similar to the classic Web and e-mail offers. Sites claim you can make loads of money, with little effort, and no experience, as long as you pay for an informative CD—as featured on the fill-in-the-blank nationally syndicated television show—that will reveal the mystery of making thousands of dollars a month.

According to the BBB, the purported offers being posted by companies on Twitter promise to pay users hundreds of dollars a day to be professional “Tweeters”—the name for a person who uses Twitter. “‘Make Money With Twitter’ schemes may sound risk-free but bear many red flags,” according to the BBB.

Here’s your chance to easily opt out of many of those ad-trackers that follow your every move as you surf the Internet. A new, free tool called TACO, or Targeted Advertising Cookie Opt-Out, lets you do just that.

Developed by a student fellow at the Berkman Center for Internet & Society, TACO places cookies in your browser that prevent 84 online ad networks from tracking your browsing habits. Right now, the tool works only with the Firefox browser.

Without TACO, you’d have to visit a large number of Web sites individually and opt out of each network’s program. —Donna Tapellini

An e-mail message purporting to be from PayPal warns the recipient that their PayPal account has automatically sent money to any unfamiliar person. But if the person clicks on "Cancel Transaction," that's when the real problems begin. (Click on the image above to see the complete "phishing" e-mail.)
[ Photo: J. Fox ]

I've been getting e-mail phishing scams for several years and thought I'd seen it all. But this week I received an e-mail that wasn't the usual "We're doing a security check and need your password" scam.

The e-mail appears to come from PayPal, a popular institution often imitated by scammers. What's unusual is that it seems to be a confirmation of a purchase, for more than $400, paid from my PayPal account. There's even a realistic-looking transaction, including the name and address of the person whom you're supposed to assume made the purchase.

I picked this up as a scam fairly quickly because I've trained myself to recognize such cons. But I suspect that a consumer fearful that their PayPal account had been incorrectly charged would hastily follow the scam's instructions to click on the “CANCEL TRANSACTION” link to sign into their account.

If that link were still active (it wasn't when I tried it), doing that would give the criminals the information they need to immediately access the account and drain its funds. (Based on our most recent State of the Net Survey, we estimate that, over the past two years, about 7 million American consumers gave such phishers personal information and that, nationally, phishers stole nearly half a billion dollars from online consumers.)

Here's how to avoid becoming a cybervictim:

If you’re a subscriber to McAfee or Symantec’s security software, you’ve probably noticed automatic charges for renewals on your credit card, even when you didn’t request them. Look for that practice to change, now that the two companies have agreed to pay $750,000 in penalties after settling charges stemming from an investigation by New York Attorney General Andrew M. Cuomo.

As part of the settlement, the companies must clearly disclose any automatic renewal programs, as well as provide easy and transparent methods for opting out of such programs.

The companies also must disclose how long they will provide updates before a charge is incurred, provide a refund to any customer who requests it within 60 days of being charged, and pay the Attorney General’s office $375,000 each in penalties to settle any claims made by consumers.

 “Consumers have a right to know what they are paying, especially when they are unwittingly agreeing to renewal fees that will not appear on their credit card bill for months,” said Cuomo. “In other words, no more hide the ball with renewal fees.”—William Dilella

[ Photo: Mateusz Stachowski ]

Yesterday, the parent company of Sears and Kmart settled charges by the Federal Trade Commission that it used software to track the online bank statements, drug prescription records, video rental records, library borrowing histories, and personal e-mail of some Sears’ customers without adequately disclosing that activity to them.

As we reported here on Wednesday, the FTC has expressed concern that more consumer data is being collected online than is necessary.

In this case, the agency says, some online customers were invited by Sears to participate in an initiative called “My SHC Community.” Those who accepted were paid $10 and asked to download “research” software that would confidentially track their “online browsing.” But the FTC said the broad extent of the tracking was revealed only in a lengthy user agreement, which the agency ruled was “deceptive” and in violation of the FTC Act.

Data collection by online advertisers was a hot topic at this week’s Computers, Freedom, and Privacy conference in Washington, DC.

As part of the settlement, Sears agreed to destroy any consumer data it has already collected and to clearly and prominently inform consumers about any data it collects. —Jeff Fox

Yesterday, I attended the Congressional Internet Caucus Advisory Committee’s panel discussion of President Obama’s cybersecurity report featuring top cyber security and intelligence experts. The panel of experts debated aspects related to civil liberties, critical infrastructure, private sector regulation, and security of government data and systems.

Here is some of what the group said about the report’s impact on consumers:

It’s too soon to tell exactly what will change for consumers in the aftermath of the report’s release, the group agreed. “Consumers are going to have to wait,” said Gregory Nojeim, Senior Counsel at the Center for Democracy & Technology. “The report is so high level, it’s going to depend on how it’s implemented.”

One piece of good news for consumers, according to Marcus Sachs, Executive Director of Government Affairs for National Security Policy at Verizon, is that President Obama places himself in a consumer role. “He sees himself as a user—and a hackee,” since his campaign Web site was itself compromised during the election in 2008.

Melissa Hathaway, Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils, and leader of the team that produced the Obama administration's cybersecurity report, at the event today in which the report was unveiled. (Click to enlarge.) [Photo: Jeff Fox]

Bearing the title,"Cyberspace Poicy Review," and just 38 pages long (if you don't count the appendices), the long-awaited preview of how the federal government is going to secure cyberspace was finally released at the President's White House speech today. (I was actually handed a copy in the East Room 20 minutes before its official release time and then asked to return my copy until that time, 10:45 am EDT, arrived.)

While I haven't had time to read through the report in its entirety, here are some key points from it that the President stressed in his speech:

• The status quo is no longer acceptable. The US must signal to the world that it is serious about addressing the challenge of cyber security.
• "Ad hoc responses will not do." (That's a direct quote from Obama's speech). The President said the country cannot continue to react to cyber crime on a piecemeal, incident-by-incident basis; it must become proactive, organized, and partner with other nations.
• There will be accountability. The President promised that milestones and "performance" metrics will be used to ensure that goals are met.
• Although public/private partnerships will be pursued, there will be no monitoring of private sector networks or Internet traffic. There will be a strong commitment to privacy and civil liberties.

In a speech on cybersecurity this morning, President Obama used a figure from a Consumer Reports survey to document the financial impact of cyber crime on U.S. households.

“According to one survey,” the President said in his remarks, delivered to an audience of reporters and cybersecurity experts at the White House, “in the past two years alone cybercrime has cost Americans more than $8 billion.”

While the President did not attribute the figure to Consumer Reports, it’s identical in amount and scope to that found in our unique State of the Net 2009  survey conducted  by the Consumer Reports National Research Center. The figure includes the estimated impact of viruses and phishing over a two-year period, along with that of spyware in the six months prior to the survey, which involved a nationally representative sample of Internet-using households.

In the speech, Obama also summarized his administrations’ planned strategy to tackle cybercrime, and outlined the responsibilities of a new “cyber-czar” who will lead those efforts. Technology Editor Jeff Fox was in attendance at the event, and will be reporting in more detail on the Obama speech later today.
– Paul Reynolds

When President Obama speaks on cybersecurity Friday morning at 10:55 (Eastern time), he’ll be doing a lot more than just announcing who will be the new “cybersecurity czar” and where they will fit into the White House hierarchy. (He may not actually announce who the czar is for a few days, according to the Wall Street Journal.)

He’ll be setting the stage for a new era in America’s cyber-defense, which has been woefully inadequate for many years. According to my White House contact, simultaneous with the speech, the White House will release electronically the report and plan that resulted from the Obama administration’s 60-day audit of US cybersecurity.

That report should provide the strategy, if not all the details, about how the cyber-czar, and the federal government itself, intend to meet the challenge.

For example, it should provide more information about how the government plans to partner with private industry in securing the nation’s infrastructure, an alliance essential to any effort to thwart hostile foreign governments, terrorists, and cybercriminals. The report may, or may not, also address the consumer privacy concerns raised by such a public-private alliance.

Those concerns are sure to be a hot topic most of next week, at this year’s biggest privacy and security conference, CFP2009, which will be covered on this blog by my colleague, Senior Editor Donna Tapellini. Are you concerned about online privacy? Let us know and  be sure to follow her coverage here next week.