A few days ago, news broke that a computer worm had hitched a ride on the International Space Station by stowing away on the astronauts’ laptops, which were reportedly unprotected by antivirus software.

The worm, Gammima.AG, which replicates itself and steals passwords to online games, was discovered about a year ago and isn’t considered high-risk.

Still, if the astronaut has followed the advice in our 7 Online Blunders report, namely to make sure you’ve got activated and updated security software on your computer, Gammima.AG would never had made it out of earth’s biosphere.

So no matter where you take your laptop (or desktop), make sure it has security software properly installed and running.

—Jeff Fox

Robbers of old hit up banks because, obviously, that's where the money was. Today's cyberthieves are no different, so financial institutions' Web sites have high security requirements.

Yet three engineers at the University of Michigan found plenty of flaws in banks' online security. One alarming result of their study concerns how banks present log-in pages to users. The study (available if you have Adobe Acrobat installed.) looked at the state of 214 U.S.-based financial institutions in 2006, and found that 47 percent of those banks ask users to log in on non-SSL pages. (SSL pages can be distinguished from others because they have an https address and a picture of a lock in the lower bar of the Web page.) That means a cybercriminal could hijack the page and cause the log-in data to be sent elsewhere.

Another notable problem cited was the offer by 31 percent of the institutions to send statements and other sensitive information via e-mail. The danger: Most users don't have secure e-mail.

The study pointed out other security flaws, including "breaks in the chain of trust," where an initial web page is secure but the user is forwarded without notice to an insecure page; posting contact information and security advice on insecure pages, which gives an attacker a chance to forge the page and provide incorrect contact information; and inadequate requirements for strong passwords.

According to the study, 76 percent of the sites exhibited at least one of those security problems, 68 percent had two or more, and 10 percent had all five.

We're hoping that at least some of the sites studied have by now improved their security practices. Meanwhile, you should follow your own list of safe online practices. Take a look at our September cover story, "7 Online Blunders," to find out how to avoid identity theft. For more information about online and computer safety, see our "Special section: Cyber-Insecurity" on ConsumerReports.org. To find the security software you'll need to protect yourself online, check out our latest Ratings of security suites and antiphishing tools. (Ratings are available to subscribers only.)

—Donna Tapellini

E-mails claiming to be from UPS could download dangerous malware onto your computer. The mail warns you that a shipment you're awaiting from UPS has been delayed, and it contains an attachment that you’re asked to open.

The e-mail is not from UPS, which says it rarely includes attachments in its communications to customers. Open the attachment and you end up with dangerous malware, according to security software publishers McAfee and Symantec. The malware connects your computer to a Russian domain, downloads a rootkit, and allows the attacker to take control of your computer. 

If you receive this scam e-mail, don’t open the attachment, and let UPS know at customerservice@ups.com.

—Donna Tapellini

Add a new danger to the many already lurking online: Open up the wrong music or video file and you could reveal all your passwords to Russian cyber-crooks.

The risk was discovered by researchers at San Jose, Calif.-based security firm Secure Computing. Here's how it works. Joe ComputerUser buys an illegal copy of a software program and heads online to get the verification code that will unlock the pirated software. That’s when a Trojan is downloaded onto Joe’s computer. The same Trojan might also be picked up from a file-sharing site, like Kazaa, that lets consumers exchange music and other content.

Joe doesn't know it, but that Trojan is infecting all his MP3 (music) and WAV (video) files. Then, Joe shares one of those files with a friend, who tries to play it. When he does, he gets a pop-up that says he has to download a "codec" (a compression/decompression algorithm) in order to play the file. Joe's buddy, excited to listen to the song Joe shared with him, doesn't think twice and allows the download. He doesn't know it, but he's been infected with malware that steals all his passwords and sends them to the Russian crime network mentioned above.

This particular Trojan is notable, says Christoph Alme, team lead for the Secure Computing’s antimalware research labs, because it infects existing files, such as Joe's own MP3s, that then serve to pass on the malware.

As nasty as this Trojan is, you can easily avoid it. Don't buy pirated software or download illegal music. And if a friend innocently sends you an MP3 or WAV file that says you need to download or install something in order to play it, deep-six the file instead. Above all, don't forget to make sure your security software is updated and running properly. Alme says most security-software providers are already wise to this new exploit.

—Donna Tapellini

I was recently in Brussels attending some meetings with members of International Consumer Research & Testing, a consortium of consumer organizations of which Consumers Union is a member. I planned to spend two days on my own after the meetings, in the medieval town of Bruges, an hour's train trip from Brussels. While on a train platform in north Brussels, I was victimized by a team of robbers who skillfully distracted me and snatched my laptop bag. Among other items, it contained my laptop, cell phone, iPod Touch MP3 player, noise-canceling headphones, and a few USB thumb drives. All gone.

While such an incident could well ruin more than just a trip, some personal practices and quick actions prevented that from happening in my case. Here's what I recommend you do if your personal electronics  items are stolen on the road, with notes on what I did:

Change passwords. Fortunately, I had not put my financial files or account data on any of the stolen storage devices. I have no need to carry that info when traveling, so it resides only at home.

At this year's Computers, Freedom and Privacy conference in New Haven, Conn., the room was packed for a May 22 workshop on new challenges posed by spyware. A proliferation of spyware used by stalkers, identity thieves and even spouses in acrimonious divorce cases recently prompted the Electronic Privacy Information Center to file a complaint with the Federal Trade Commission. (You can see a copy of EPIC's complaint with the FCC here if you have Adobe Acrobat installed.) The sales pitches EPIC's Guilherme Roschke described at the workshop were eye-opening to say the least.  Consider this one for a spyware package being advertised for $89.95:

"Do you need to find out what someone is doing online? Is your spouse, child or friend hiding secrets from you? If so Remote-Spy is the perfect solution for anyone that needs this information quickly and secretly. Now you can use the same software professionals use to find out the information you need in total privacy."

The spyware programs are promoted as being capable of spying on email and instant messages, recording websites visited, browsing files stored on the target's computer and capturing all keystrokes typed. Many of them can be installed remotely via Trojan horse e-mail attacks. When I asked Roschke how victims are tricked into opening e-mails that launch the spyware, he replied: "Puppies and flowers." E-greeting cards with such warm and fuzzy visual images are among the lures spyware programs provide to entice the person being targeted to inadvertently install programs which then do their dirty work invisibly.

We need your help in preparing an upcoming report for Consumer Reports and ConsumerReports.org about staying safe online. We're looking for tips to help consumers avoid become a victim of viruses, spyware, or cybercriminals. We're not looking for obvious advice, such as "don't click on e-mail attachments" or "always run antivirus software." Rather, we’d like to hear about things online consumers often overlook, or don't know, when going online. (It can include anything from hardware to software to the consumer's own behavior.)

For each tip, please describe the mistake itself plus its consequences.

If you've suffered a loss yourself online, whether to your computer, wallet, privacy, or something else, we'd also like to hear about the mistake that led to that loss, how you resolved your problem (if you did), and how other consumers can avoid a similar experience. Please be as precise as possible.

Please let us know if you're willing to be interviewed for this article, plus whether you're willing to be photographed.

Don't forget to tell us how to contact you.

Note: Your response to this request won't be published anywhere, including this blog. If we interview you, your story may appear in the finished article. If you prefer to respond directly by e-mail, send your response to Security@cro.consumer.org.

Thanks for your help.

—Donna Tapellini

You might know this kid. He's as young as 12 or 13, not all that popular in school. He spends a lot of time online. You figure he's playing World of Warcraft, constantly refining his MySpace pages, or maybe hanging out in Habbo, a virtual world popular with kids. But he may also be wreaking havoc on social networking sites, selling a veritable supermarket full of his own malware, and creating packages of phishing tools.

"These kids are obsessed with phishing," said Chris Boyd, director of malware research for Facetime Communications during a presentation at the RSA Conference, here in San Francisco. They don't see phishing as a problem, Boyd says, because they typically start out stealing large numbers of MySpace pages, then move on to stealing a few PayPal accounts—but for a lot more money.

Today's young hackers consider themselves stars of the cyberworld, not aware or not caring that what they're doing is illegal. "For these kids, it's a game, a hacker version of American Idol," Boyd said. "But the TV show they're really on is America's Most Wanted."

Ira Winkler looks like a guy with a lot on his mind. And rightly so. After all, he helped orchestrate a hack of a power company, at the request of the company itself, which wanted to test its defenses. It took Winkler, who is president of the Internet Security Advisors Group, and his team just a day to break in. If he'd wanted to, he could potentially have turned out the lights on the power company's customers—or worse, since this company ran a nuclear reactor.

Obviously, the company's defenses did not hold up well. What was most striking was how easy it was for Winkler and his team to break in. One step in accomplishing the task involved tricking employees into clicking on an e-mail that downloaded malicious code onto their work computers.

"There is a major storm brewing that is receiving insufficient attention from the government," Winkler said.

I'm attending the RSA Conference in San Francisco—billed as the "world's largest security conference and expo"—where security software maker Symantec today revealed a few of the latest online threats, and U.S. Department of Homeland Security Secretary Michael Chertoff offered a few insights into what the federal government is doing to protect U.S. cyberspace.

The biggest threat to your personal data, according to Symantec, comes from the loss of laptops, hard drives, and USB drives, which accounted for 57 percent of the data loss outlined in the company's latest Internet Security Threat Report, released today. In addition, 70 percent of the malicious code unleashed in the last six months of 2007 was meant to steal confidential information. Finally, the creation of malicious software is now outpacing the creation of "good" programs, said Steve Trilling, vice president of Symantec Research Labs.

All this stolen information ends up in an underground marketplace that works just like a legitimate economy, Trilling said. Stolen eBay accounts go for about $8, e-mail passwords for $30, credit cards for as little as 40 cents, and bank accounts for up to $1,000 or so, depending on how much money is in the account. Interestingly, the virtual world is one of the most lucrative. A stolen World of Warcraft account can be worth 100 times more than a credit card.

I hate passwords. Or more correctly, I hate how many passwords, PINs and security codes/answers I have to remember.

There are passwords and access codes to get into my home and office computers; my cell phone; my work and personal e-mail accounts; my home, office and cell phone voicemails; my online bank accounts; my wireless home network equipment; my accounts with Web sites such as ConsumerReports.org and this blog...

Maybe that's why I was very interested in the Lenovo IdeaPad Y510, one of the latest notebooks Consumer Reports is testing for our upcoming laptop computer Ratings update. Its most unique feature: It uses your face as the key to personal computer security.

The IdeaPad uses VeriFace, a "facial recognition" program installed in the IdeaPad.  Put simply: You register yourself (and anyone else that you want to have access to the laptop) by letting the software "scan in" the faces in front of the built-in, 1.3-megapixel webcam. Those facial images can then be associated with logins—to a Windows Vista "user" account, for example. That way if you've set the Lenovo to "lock" after a period of inactivity, getting back in is as simple as facing the webcam at the top of the IdeaPad's 15.4-inch LCD screen. This facial recognition scheme can also be used to log you into your Web-based e-mail and other accounts that normally require you to type in a user name and password.

You can review how the Lenovo IdeaPad works by watching our video using the player embedded in this post.

As with other biometric-based security devices (such as fingerprint scanners), VeriFace worked well and wasn't spoofed by simple trickery. But this 007-type approach to PC security wasn't completely flawless. (Hint: Those who wear hats and reflective glasses or typically use their laptops in badly-lit places might have second thoughts about facial recognition security.) And VeriFace still requires typed-in passwords as a back-up means of access—which means it is no less vulnerable to hackers and code-cracking software.

We're still testing the Lenovo IdeaPad and will include it in our Ratings of laptop computers soon on ConsumerReports.org. But one shortcoming that was obvious to me and other testers: Its LCD screen reflected light—a lot. Under our video studio's bright lights, the screen acted like a mirror. Perhaps that's so you can better examine your face before telling the Lenovo's VeriFace software, "I'm ready for my close-up."

—Paul Eng

As our annual State of the Net survey has shown for the past several years, the insecurity of online consumers is a severe national problem that affects nearly everyone and costs American consumers billions of dollars annually.

Coverage of this important subject has become an integral part of our electronics content, both in print and online. While we will continue reporting on Internet threats of all types, and testing the key products and services that help you protect yourself online, this year we will begin to do even more.

Cell-phone spam still trails computer spam, with the typical cell-phone user receiving at most a few spam text messages per year rather than the thousands that may bombard their computer-based e-mail accounts. But in some ways, cell spam is more annoying. It can cause your phone to ring or vibrate at inopportune times and possibly cost you money—typically 10 to 25 cents per message if you don't have a text-messaging plan.

Since 2005, the CAN-SPAM Act (Controlling the Assault on Non-Solicited Pornography and Marketing) has prohibited commercial e-mail and text messages to be sent to cell phones without "express prior authorization." Unfortunately, the law leaves commercial entities lots of loopholes. For example, it doesn't prevent your carrier or its partners from sending you upgrade offers or account notices. Also, non-commercial organizations such as charities and political campaigns can shoot you all the messages they want on your dime.

If tax season is here, can IRS e-mail scams be far behind? Here's a tempting one making the rounds: An e-mail that looks like it's from the IRS tells you the agency has "determined that you are eligible to receive a tax refund of $746.35." All it takes to get that cash is a simple click on a link to "access the form for your tax refund."

If you get one of these, don't start planning that vacation yet, and definitely do not click on the link or fill out the form. The IRS doesn't send unsolicited e-mails about tax refunds or any other matter. What you've actually received is not an opportunity to claim hundreds of unexpected dollars. It's a phishing scam designed to load malicious software onto your system and collect personal information for use in identity theft schemes.

This and other scams that use refunds from the IRS as bait are more prevalent than ever. Meanwhile, even newer scams are showing up surrounding the recent Federal tax rebate, according to Paula Greve, director of Web security research for Secure Computing.

In fact, Greve notes, there has been a 3,000 percent year-over-year increase in phishing attacks and malicious Web sites targeting the IRS, with more such attacks in January 2008 alone than in the first six months of 2007 combined. Close to 600 IP addresses sending e-mail purporting to be from the IRS have already been tracked, and Greve expects that number to increase.

If you've noticed fewer popup ads while Web surfing, it's probably more than just your anti-popup software doing its job.  So-called "nuisance adware," popups and home-page hijackers that annoy but don't usually harm your computer, has been vanquished, though not totally eliminated.

That was one of my main takeaways from attending last week's fourth annual public workshop held by the Anti-spyware Coalition, a group of software companies, academics, and consumer groups united in the effort to control spyware and other online threats. Held in the shadow of the US Capitol in Washington, DC, the workshop's subtitle was, "What's worked, what's left, and what's coming."

Some of the reasons for the downfall of nuisance adware include new state anti-spyware laws, aggressive high-profile prosecutions of perpetrators, and a growing reluctance by high-profile makers of consumer products and services to inflict further damage on their brands by advertising in a medium (adware) that one workshop speaker characterized as "a lousy consumer experience."

But this success has come at a price, the conference attendees found out. While some adware purveyors have changed their practices for the better to stay on the good side of the law, others have gone underground, to a market position some speakers called "the dark side" by adopting even more egregious technologies borrowed from virus writers, hackers, and other online miscreants.

Following a keynote by FTC Commissioner Jonathan Leibowitz, conference panels discussed such topics as Is Spyware Dead?, Can Investigators Stay Ahead of the Bad Guys? and Education: What Works and What Doesn't? Speakers included experts from major anti-malware vendors like McAfee and Lavasoft, government officials, security professionals, and academics.

With Mac sales up, and many new users coming to the platform, will malware writers begin to seek fresh targets? I asked the chief technologists at security companies Intego and McAfee what they saw as the primary threats to the Mac platform, both today and looking ahead.

While both agreed that Mac OS X is solid when it comes to security, they also fear that malware attacks on the Mac are inevitable—it's just a matter of when.

According to George Heron, the chief scientist at McAfee, 35% of the malware currently threatening computer users has been discovered in the past two years. In 2002, there were about 100 new detections a week. By 2007, that number had skyrocketed to 2000-plus. That's probably because the profile of cyber-criminals has changed. It's not about impressing your fellow geeks with your virus-writing prowess anymore. Today, money rules in the cyber-underworld, with malware going after financial information, credit cards, and bank accounts. Large, well-organized, highly sophisticated hackers design spam and phishing scams on a massive scale, largely operating out of China, Brazil, Russia, and the Middle East, according to Heron. More Macs in the marketplace means a growing profit opportunity in a highly profitable industry that steals billions worldwide.

Intego's Jack Nahan told me that the biggest threats to Mac users going forward are phishing, trojans, and ID theft. The two most interesting and insidious to date have been a scam where the user is invited to download a supposedly friendly new piece of anti-virus shareware called "Macsweeper" (it installs a trojan), and a "screen scraper" app that comes off the Web and never resides locally. It just copies whatever is on the user's screen (including banking information) and returns it to the scammer.

For more information on how to protect your computer (Mac or PC) and your information while online, check out these free resources on ConsumerReports.org:

• Cyber-security Central
• Best ways to stay safe online
• Best security software

And if you subscribe to ConsumerReports.org, you'll have access to:

• CR's latest Ratings of security software suites
• CR's latest Ratings of antivirus software
• CR's latest Ratings of antispyware software
• CR's latest Ratings of antispam software

—Thomas A. Olson

Your new computer finally arrived. Everything’s up and running, and you feel safe as you surf the 'Net, because you know the system came loaded with a free trial for a well-known security package. But are you really protected?

There’s a good chance that you’re not. A new survey by security-software publisher McAfee and the National Cyber Security Alliance (NCSA), released on October 1 to launch National Cyber Security Awareness Month, turned up a notable disconnect between most users’ perception and the reality when it comes to their computer's security.

Consider this: 87 percent of those surveyed said they use antivirus software. But in fact, on 48 percent of the computers scanned as part of the survey, the antivirus software was not up to date. The respondents thought they were protected, but they were actually all too vulnerable because an antivirus that's not up to date is ineffective. The problem spans other types of security software, too. For example, while 81 percent of those surveyed had a firewall installed on their computer to block hackers, only 64 percent had activated it.

Related information:

• Consumer Reports Cyber-Security Center
• Best ways to stay safe online
• Best-rated online security software suites
• U.S. Federal Trade Commission's OnGuard Online Web site

To borrow from an old public-service announcement: It's 10 o'clock, do you know where—online—your children are? If the answer is, "Romping around on social-networking sites," it's time for you to take some action.

Millions of minors post all sorts of personal information on social networking sites like MySpace. Sadly, such sites have become virtual playgrounds for adult sexual predators, too, placing a new responsibility of the shoulders of already-overworked parents: safeguarding their kids who go online.

What makes sites like MySpace so risky is that predators can develop long-term relationships with several children simultaneously. "They'll contact the youth repetitively for up to six months," Dr. Sharon Cooper, CEO of Developmental and Forensic Pediatrics in Fort Bragg, N.C., told me. The predators usually present themselves as about 20 years old, an appealing age to younger children, according to Dr. Cooper. They talk to the child so frequently and for such a long period of time that by the time they propose meeting, the children don't see the predator as a stranger. "They see them as people who understand them better than their own parents," she says.

Related reports:

• Social networks: Kids at risk 
• Net threats: Why online is still risky 
• Best online security software 
• Consumer Reports on cyber-security

When it comes to online security, some key threats are getting better and yet remain serious problems. Take spam, for example.

Jeff Fox, Consumer Reports’ Technology Editor, is today presenting evidence to the Spam Summit, a Federal Trade Commission event on this ongoing Net menace. (Note: The link will take you directly to the FTC's Web site for the summit.) Drawing on findings from the 2007 Consumer Reports State of the Net report, which includes a nationally representative survey of U.S. Web users, Jeff’s paper offers both hope and alarm about the spam scourge.

Spam is easing, our survey found. The proportion of spam recipients who said half or more of their e-mail was spam dipped below 50 percent for the first time since our survey began  in 2004. Also, fewer people reported clicking on links in spam or replying to it. (Click on the image on the left to see our findings.) And the use of spam blockers and firewalls is more widespread.

But spammers are still making sales from their messages and ensnaring people with phishing scams, in which bogus e-mails and Web sites induce people to disclose information about their financial accounts. Based on our survey, we estimate that 650,000 Americans made such a purchase in the month before the survey. And the proportion of Web users who are responding to phishing messages has remained steady. (Click on the image on the right for a closer look at our findings.)

What to do? Jeff recommends a continued effort to educate Web users, since some of the good news from our survey (fewer clicks on links, for example) proves that education can help. He also advocates steps to boost the effectiveness of the federal CAN-SPAM Act, which has given law enforcers new tools to use against spammers. The FTC also needs adequate resources to take full advantage of the U.S. Safe Web Act, which allows that agency more authority to work internationally to protect consumers. For their part, software manufacturers need to design firewalls that clearly identify name a product that is attempting outgoing communications, rather than using a hard-to-identify file name. In addition, Microsoft needs to fix its Vista firewall. (See our previous post on Window Vista's flawed firewall.)

We’ll have more on spam and other threats--both good news and bad, problems and solutions--in the State of the Net 2007 report, and in its accompanying Ratings report on software to protect against viruses, spyware, and spam. Both reports will post to ConsumerReports.org in early August.

In the meantime, you can find out more helpful information about how to protect your computer and your personal information by visiting our special cyber-security section and our Ratings of computer security software programs.

-- Paul Reynolds

If you’ve installed Vista on your PC or are planning to do so, it’s important to update your security software as well. In fact, if you have a current subscription to security software, check your vendor’s Web site to make sure there is a Vista version currently available—not all the security-software vendors have Vista software ready.

Although Vista is being touted as a more secure operating system, you still need to take additional steps to protect your data. For starters, you don’t get antivirus software with Vista. The antispyware bundled free with it, Windows Defender (we tested the beta version last summer), did not score as well as other programs.

Different providers are using different methods to help their subscribers keep up to date. In addition, how you do so will depend on whether you’ve bought a new PC with Vista installed or upgraded your old computer with Vista. Keep in mind that if you bought a new PC and want to transfer a subscription from your older system, you’ll probably have to remove the software from the old PC first, and you’ll most likely need a key number to get the new version. If you’re upgrading a current PC to Vista, some vendors, including Symantec, recommend updating your security software before you switch to Vista.

Here’s the latest from a sampling of security-software providers:

BitDefender
BitDefender Antivirus 10, Antivirus Plus 10, and Internet Security 10 are all Vista-compatible and free to current subscribers. Check the site at http://promo.bitdefender.com/vista.php.

Computer Associates
The only CA product currently Vista-ready is its antivirus software. Antispam should be available mid-February, and others will follow during the month of March. Check the CA Web site at http://home3.ca.com/stcontent/vistaready/index.aspx for the latest additions and update instructions.

F-Secure
F-Secure currently has beta versions available for its Internet security suite as well as its antivirus software. Final products will be available online in May and in stores in June. Subscribers will be eligible for free upgrades. For more info, go to http://www.f-secure.com/vista/consumers/.

Kaspersky
Kaspersky’s Anti-Virus and Internet Security are both available for Vista. Current subscribers can download them free at http://usa.kaspersky.com/vista/.

McAfee
You need to be a subscriber of the 2007 version of any McAfee software if you want to run it on Vista. Upgrades to the Vista-compatible versions are free to current subscribers.

If you’re a McAfee user who bought a new Vista PC, uninstall the McAfee software from your old system if you want to use it on your new one. Then log on (using the e-mail address and password you set up when you originally bought the software) to http://us.mcafee.com/root/myaccount.asp to download a Vista version for your new system.

For McAfee subscribers who upgrade their existing system to Vista, McAfee software will automatically upgrade to a Vista-compatible version. The exception: subscribers who manually install McAfee updates will have to download the Vista upgrade themselves.

Symantec
Norton Internet Security 2006/2007, Norton AntiVirus 2006/2007, and Norton Confidential are all available for Vista. The Symantec site at http://www.symantec.com/home_homeoffice/themes/vista/compatibility.jsp has more information on Vista-compatible products.

Users who subscribe to the 2007 versions of Internet Security and AntiVirus should uninstall the old Norton software and download the trialware from Symantec’s Web site. You’ll need your product key (available in your Norton Account, the CD-ROM sleeve, or the confirmation e-mail if purchased online). The trialware will automatically be converted to an activated product with your remaining subscription. If you have the 2006 versions of those products, go to www.symantec.com/07upgrade for an assisted upgrade.

Trend Micro
Trend Micro Internet Security 2007 (formerly PC-cillin), Trend Micro AntiVirus plus AntiSpyware 2007, and Trend Micro HouseCall all work with Vista. If you are currently subscribed to Trend Micro Internet Security PC-cillin 2005/2006/2007, go to http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034344 for instructions on how to change to the Vista software.

Zone Alarm
Zone Alarm products are not currently Vista-compatible. A company spokesperson says a beta should be available for ZoneAlarm Internet Security Suite in the next couple of weeks, with the final product likely being released in April. ZoneAlarm subscribers will be able to upgrade free when it’s available.

-- Donna Tapellini

We've just confirmed what some bloggers have been telling savvy users: Microsoft Windows Vista's outbound firewall is not very effective out of the box.

Windows Vista, according to Microsoft's features list, has a greatly-improved Internet firewall that can block both inbound and outbound unauthorized communication. (XP's firewall only blocked inbound.) The importance of outbound blocking is made clear by looking at the growing number of "zombie" PCs on the Internet, linked in "botnets" controlled by spammers and other miscreants to send out thousands of spam messages, act as servers for criminals, or steal personal information.

A good outbound firewall must assume that a "Trojan horse" program — one that sends an "I'm here, ready to be controlled" message to an attacker — might get on the PC through some unprotected breach, such as software downloaded from a shady website, a USB thumb drive, or another PC on a home network. With that assumption, the firewall should block communications from any program that's not in its list of known, trusted programs, notifying the user that a new program is trying to "reach out" to another computer, and asking the user to explicitly allow or deny it to do so, hopefully supplying enough information to let the user figure out if it's a good or a bad program.

Vista's outbound firewall has no mechanism for this. The only way you can block a bad program is to know it's there (unlikely in the case of a Trojan horse), know its exact name and where it is on your hard drive, then go into an obscure interface in Vista's Computer Administration Control Panel and enter that information. If a malicious program renames or relocates itself (common in the case of malware), your blocking will be rendered ineffective. Vista doesn’t warn you of any of this.

The best firewalls use two built-in lists of programs — those that are OK to allow outbound communications, and others that are definitely not: keyloggers, dialers, mailers, spambots and the like. At the least, a firewall should block any new program it doesn't know about and give the user some help in setting up a rule to block or allow it. Vista's firewall fails this basic requirement.

So, even for Vista users, our usual computer security advice stands: For an extra measure of security, especially where others may use your PC or home network, use a third-party firewall. Most of the major security software companies offer firewalls, or suites containing a firewall. If you use one, be sure to turn off Vista's firewall, as the two may conflict.

— Dean Gallea