Did you know that October is National Cyber Security Awareness Month? A number of organizations, including ConsumerReports.org, are joining forces to help promote safe computing practices and educate consumers about the threats of online fraud and identity theft. (For more information, click on the image at right to go to the National Cyber Security Alliance's web site, StaySafeOnline.org.)

As part of the effort, we've created a new, free Online Security Guide, which includes the following features:

• Reports on viruses, spyware, phishing e-mails, ID theft, and kids safety online.
• Results from a new consumer survey on auction fraud by ConsumerWebWatch, the Internet integrity division of Consumers Union, the non-profit publisher of Consumer Reports.
• Free advice, including: 7 Online Blunders to Avoid, 19 tips to stay safe online, and our 2008 State of the Net findings.
• Software Ratings: Security Suites and Anti-phishing toolbars (available to subscribers only).
• An entertaining, educational musical video about e-mail phishing from ConsumerWebWatch.
• A quiz that tests your ability to tell fake e-mails from real ones.
• Links to our discussion forums where you can discuss with others about online security and privacy issues.

In the next few days, and throughout October, we’ll provide more details and news related to Cyber Security Awareness Month on our Electronics Blog and Online Security Blog.

—Jeff Fox

Robbers of old hit up banks because, obviously, that's where the money was. Today's cyberthieves are no different, so financial institutions' Web sites have high security requirements.

Yet three engineers at the University of Michigan found plenty of flaws in banks' online security. One alarming result of their study concerns how banks present log-in pages to users. The study (available if you have Adobe Acrobat installed.) looked at the state of 214 U.S.-based financial institutions in 2006, and found that 47 percent of those banks ask users to log in on non-SSL pages. (SSL pages can be distinguished from others because they have an https address and a picture of a lock in the lower bar of the Web page.) That means a cybercriminal could hijack the page and cause the log-in data to be sent elsewhere.

Another notable problem cited was the offer by 31 percent of the institutions to send statements and other sensitive information via e-mail. The danger: Most users don't have secure e-mail.

The study pointed out other security flaws, including "breaks in the chain of trust," where an initial web page is secure but the user is forwarded without notice to an insecure page; posting contact information and security advice on insecure pages, which gives an attacker a chance to forge the page and provide incorrect contact information; and inadequate requirements for strong passwords.

According to the study, 76 percent of the sites exhibited at least one of those security problems, 68 percent had two or more, and 10 percent had all five.

We're hoping that at least some of the sites studied have by now improved their security practices. Meanwhile, you should follow your own list of safe online practices. Take a look at our September cover story, "7 Online Blunders," to find out how to avoid identity theft. For more information about online and computer safety, see our "Special section: Cyber-Insecurity" on ConsumerReports.org. To find the security software you'll need to protect yourself online, check out our latest Ratings of security suites and antiphishing tools. (Ratings are available to subscribers only.)

—Donna Tapellini

Add a new danger to the many already lurking online: Open up the wrong music or video file and you could reveal all your passwords to Russian cyber-crooks.

The risk was discovered by researchers at San Jose, Calif.-based security firm Secure Computing. Here's how it works. Joe ComputerUser buys an illegal copy of a software program and heads online to get the verification code that will unlock the pirated software. That’s when a Trojan is downloaded onto Joe’s computer. The same Trojan might also be picked up from a file-sharing site, like Kazaa, that lets consumers exchange music and other content.

Joe doesn't know it, but that Trojan is infecting all his MP3 (music) and WAV (video) files. Then, Joe shares one of those files with a friend, who tries to play it. When he does, he gets a pop-up that says he has to download a "codec" (a compression/decompression algorithm) in order to play the file. Joe's buddy, excited to listen to the song Joe shared with him, doesn't think twice and allows the download. He doesn't know it, but he's been infected with malware that steals all his passwords and sends them to the Russian crime network mentioned above.

This particular Trojan is notable, says Christoph Alme, team lead for the Secure Computing’s antimalware research labs, because it infects existing files, such as Joe's own MP3s, that then serve to pass on the malware.

As nasty as this Trojan is, you can easily avoid it. Don't buy pirated software or download illegal music. And if a friend innocently sends you an MP3 or WAV file that says you need to download or install something in order to play it, deep-six the file instead. Above all, don't forget to make sure your security software is updated and running properly. Alme says most security-software providers are already wise to this new exploit.

—Donna Tapellini

I was recently in Brussels attending some meetings with members of International Consumer Research & Testing, a consortium of consumer organizations of which Consumers Union is a member. I planned to spend two days on my own after the meetings, in the medieval town of Bruges, an hour's train trip from Brussels. While on a train platform in north Brussels, I was victimized by a team of robbers who skillfully distracted me and snatched my laptop bag. Among other items, it contained my laptop, cell phone, iPod Touch MP3 player, noise-canceling headphones, and a few USB thumb drives. All gone.

While such an incident could well ruin more than just a trip, some personal practices and quick actions prevented that from happening in my case. Here's what I recommend you do if your personal electronics  items are stolen on the road, with notes on what I did:

Change passwords. Fortunately, I had not put my financial files or account data on any of the stolen storage devices. I have no need to carry that info when traveling, so it resides only at home.

We need your help in preparing an upcoming report for Consumer Reports and ConsumerReports.org about staying safe online. We're looking for tips to help consumers avoid become a victim of viruses, spyware, or cybercriminals. We're not looking for obvious advice, such as "don't click on e-mail attachments" or "always run antivirus software." Rather, we’d like to hear about things online consumers often overlook, or don't know, when going online. (It can include anything from hardware to software to the consumer's own behavior.)

For each tip, please describe the mistake itself plus its consequences.

If you've suffered a loss yourself online, whether to your computer, wallet, privacy, or something else, we'd also like to hear about the mistake that led to that loss, how you resolved your problem (if you did), and how other consumers can avoid a similar experience. Please be as precise as possible.

Please let us know if you're willing to be interviewed for this article, plus whether you're willing to be photographed.

Don't forget to tell us how to contact you.

Note: Your response to this request won't be published anywhere, including this blog. If we interview you, your story may appear in the finished article. If you prefer to respond directly by e-mail, send your response to Security@cro.consumer.org.

Thanks for your help.

—Donna Tapellini

Ira Winkler looks like a guy with a lot on his mind. And rightly so. After all, he helped orchestrate a hack of a power company, at the request of the company itself, which wanted to test its defenses. It took Winkler, who is president of the Internet Security Advisors Group, and his team just a day to break in. If he'd wanted to, he could potentially have turned out the lights on the power company's customers—or worse, since this company ran a nuclear reactor.

Obviously, the company's defenses did not hold up well. What was most striking was how easy it was for Winkler and his team to break in. One step in accomplishing the task involved tricking employees into clicking on an e-mail that downloaded malicious code onto their work computers.

"There is a major storm brewing that is receiving insufficient attention from the government," Winkler said.

I'm attending the RSA Conference in San Francisco—billed as the "world's largest security conference and expo"—where security software maker Symantec today revealed a few of the latest online threats, and U.S. Department of Homeland Security Secretary Michael Chertoff offered a few insights into what the federal government is doing to protect U.S. cyberspace.

The biggest threat to your personal data, according to Symantec, comes from the loss of laptops, hard drives, and USB drives, which accounted for 57 percent of the data loss outlined in the company's latest Internet Security Threat Report, released today. In addition, 70 percent of the malicious code unleashed in the last six months of 2007 was meant to steal confidential information. Finally, the creation of malicious software is now outpacing the creation of "good" programs, said Steve Trilling, vice president of Symantec Research Labs.

All this stolen information ends up in an underground marketplace that works just like a legitimate economy, Trilling said. Stolen eBay accounts go for about $8, e-mail passwords for $30, credit cards for as little as 40 cents, and bank accounts for up to $1,000 or so, depending on how much money is in the account. Interestingly, the virtual world is one of the most lucrative. A stolen World of Warcraft account can be worth 100 times more than a credit card.

I hate passwords. Or more correctly, I hate how many passwords, PINs and security codes/answers I have to remember.

There are passwords and access codes to get into my home and office computers; my cell phone; my work and personal e-mail accounts; my home, office and cell phone voicemails; my online bank accounts; my wireless home network equipment; my accounts with Web sites such as ConsumerReports.org and this blog...

Maybe that's why I was very interested in the Lenovo IdeaPad Y510, one of the latest notebooks Consumer Reports is testing for our upcoming laptop computer Ratings update. Its most unique feature: It uses your face as the key to personal computer security.

The IdeaPad uses VeriFace, a "facial recognition" program installed in the IdeaPad.  Put simply: You register yourself (and anyone else that you want to have access to the laptop) by letting the software "scan in" the faces in front of the built-in, 1.3-megapixel webcam. Those facial images can then be associated with logins—to a Windows Vista "user" account, for example. That way if you've set the Lenovo to "lock" after a period of inactivity, getting back in is as simple as facing the webcam at the top of the IdeaPad's 15.4-inch LCD screen. This facial recognition scheme can also be used to log you into your Web-based e-mail and other accounts that normally require you to type in a user name and password.

You can review how the Lenovo IdeaPad works by watching our video using the player embedded in this post.

As with other biometric-based security devices (such as fingerprint scanners), VeriFace worked well and wasn't spoofed by simple trickery. But this 007-type approach to PC security wasn't completely flawless. (Hint: Those who wear hats and reflective glasses or typically use their laptops in badly-lit places might have second thoughts about facial recognition security.) And VeriFace still requires typed-in passwords as a back-up means of access—which means it is no less vulnerable to hackers and code-cracking software.

We're still testing the Lenovo IdeaPad and will include it in our Ratings of laptop computers soon on ConsumerReports.org. But one shortcoming that was obvious to me and other testers: Its LCD screen reflected light—a lot. Under our video studio's bright lights, the screen acted like a mirror. Perhaps that's so you can better examine your face before telling the Lenovo's VeriFace software, "I'm ready for my close-up."

—Paul Eng

As our annual State of the Net survey has shown for the past several years, the insecurity of online consumers is a severe national problem that affects nearly everyone and costs American consumers billions of dollars annually.

Coverage of this important subject has become an integral part of our electronics content, both in print and online. While we will continue reporting on Internet threats of all types, and testing the key products and services that help you protect yourself online, this year we will begin to do even more.

Cell-phone spam still trails computer spam, with the typical cell-phone user receiving at most a few spam text messages per year rather than the thousands that may bombard their computer-based e-mail accounts. But in some ways, cell spam is more annoying. It can cause your phone to ring or vibrate at inopportune times and possibly cost you money—typically 10 to 25 cents per message if you don't have a text-messaging plan.

Since 2005, the CAN-SPAM Act (Controlling the Assault on Non-Solicited Pornography and Marketing) has prohibited commercial e-mail and text messages to be sent to cell phones without "express prior authorization." Unfortunately, the law leaves commercial entities lots of loopholes. For example, it doesn't prevent your carrier or its partners from sending you upgrade offers or account notices. Also, non-commercial organizations such as charities and political campaigns can shoot you all the messages they want on your dime.

If tax season is here, can IRS e-mail scams be far behind? Here's a tempting one making the rounds: An e-mail that looks like it's from the IRS tells you the agency has "determined that you are eligible to receive a tax refund of $746.35." All it takes to get that cash is a simple click on a link to "access the form for your tax refund."

If you get one of these, don't start planning that vacation yet, and definitely do not click on the link or fill out the form. The IRS doesn't send unsolicited e-mails about tax refunds or any other matter. What you've actually received is not an opportunity to claim hundreds of unexpected dollars. It's a phishing scam designed to load malicious software onto your system and collect personal information for use in identity theft schemes.

This and other scams that use refunds from the IRS as bait are more prevalent than ever. Meanwhile, even newer scams are showing up surrounding the recent Federal tax rebate, according to Paula Greve, director of Web security research for Secure Computing.

In fact, Greve notes, there has been a 3,000 percent year-over-year increase in phishing attacks and malicious Web sites targeting the IRS, with more such attacks in January 2008 alone than in the first six months of 2007 combined. Close to 600 IP addresses sending e-mail purporting to be from the IRS have already been tracked, and Greve expects that number to increase.

If you've noticed fewer popup ads while Web surfing, it's probably more than just your anti-popup software doing its job.  So-called "nuisance adware," popups and home-page hijackers that annoy but don't usually harm your computer, has been vanquished, though not totally eliminated.

That was one of my main takeaways from attending last week's fourth annual public workshop held by the Anti-spyware Coalition, a group of software companies, academics, and consumer groups united in the effort to control spyware and other online threats. Held in the shadow of the US Capitol in Washington, DC, the workshop's subtitle was, "What's worked, what's left, and what's coming."

Some of the reasons for the downfall of nuisance adware include new state anti-spyware laws, aggressive high-profile prosecutions of perpetrators, and a growing reluctance by high-profile makers of consumer products and services to inflict further damage on their brands by advertising in a medium (adware) that one workshop speaker characterized as "a lousy consumer experience."

But this success has come at a price, the conference attendees found out. While some adware purveyors have changed their practices for the better to stay on the good side of the law, others have gone underground, to a market position some speakers called "the dark side" by adopting even more egregious technologies borrowed from virus writers, hackers, and other online miscreants.

Following a keynote by FTC Commissioner Jonathan Leibowitz, conference panels discussed such topics as Is Spyware Dead?, Can Investigators Stay Ahead of the Bad Guys? and Education: What Works and What Doesn't? Speakers included experts from major anti-malware vendors like McAfee and Lavasoft, government officials, security professionals, and academics.

Best Buy tells us that one of its Insignia brand digital picture frames has been contaminated by a virus. The only model involved is a 10.4-inch frame bearing the number NS-DPF10A. If you're downloading photos by connecting this frame directly to your computer, you may be putting your system at risk. Owners should contact the company by calling 877-467-4289. Best Buy will help you determine whether your frame is affected and will let you know how to proceed if it is. The model, which was sold over the holiday season, has been discontinued and is no longer available for purchase from Best Buy.

The virus is not a new strain, so if your system is protected by antivirus software, it should catch and isolate the infection. In addition, if you're loading photos using a memory card, the virus can't be passed along that way, according to a Best Buy spokesperson.

So far, the company has received about two dozen calls concerning this issue. Best Buy is still investigating the cause of the infection. If you have another model of Insignia frame, and notice that your antivirus software is picking up viruses when you connect the frame to your computer, call Best Buy and let them know. Continue checking the Insignia home page at http://www.insignia-products.com/default.aspx for further developments.

And for additional computer safety tips, including Consumer Reports' Ratings of the best computer security software and online protection tools, check out our online cyber-security center.

—Donna Tapellini

With Mac sales up, and many new users coming to the platform, will malware writers begin to seek fresh targets? I asked the chief technologists at security companies Intego and McAfee what they saw as the primary threats to the Mac platform, both today and looking ahead.

While both agreed that Mac OS X is solid when it comes to security, they also fear that malware attacks on the Mac are inevitable—it's just a matter of when.

According to George Heron, the chief scientist at McAfee, 35% of the malware currently threatening computer users has been discovered in the past two years. In 2002, there were about 100 new detections a week. By 2007, that number had skyrocketed to 2000-plus. That's probably because the profile of cyber-criminals has changed. It's not about impressing your fellow geeks with your virus-writing prowess anymore. Today, money rules in the cyber-underworld, with malware going after financial information, credit cards, and bank accounts. Large, well-organized, highly sophisticated hackers design spam and phishing scams on a massive scale, largely operating out of China, Brazil, Russia, and the Middle East, according to Heron. More Macs in the marketplace means a growing profit opportunity in a highly profitable industry that steals billions worldwide.

Intego's Jack Nahan told me that the biggest threats to Mac users going forward are phishing, trojans, and ID theft. The two most interesting and insidious to date have been a scam where the user is invited to download a supposedly friendly new piece of anti-virus shareware called "Macsweeper" (it installs a trojan), and a "screen scraper" app that comes off the Web and never resides locally. It just copies whatever is on the user's screen (including banking information) and returns it to the scammer.

For more information on how to protect your computer (Mac or PC) and your information while online, check out these free resources on ConsumerReports.org:

• Cyber-security Central
• Best ways to stay safe online
• Best security software

And if you subscribe to ConsumerReports.org, you'll have access to:

• CR's latest Ratings of security software suites
• CR's latest Ratings of antivirus software
• CR's latest Ratings of antispyware software
• CR's latest Ratings of antispam software

—Thomas A. Olson

Apple goes into Macworld Expo, the annual party, love fest, and religious revival for the Cult of Mac, which opened today in San Francisco, following a year that's had a few fizzles (Apple TV, the first release of OS X Leopard, 10.5), one big hit (the iPhone) and under-the-radar sales growth of 40% for Mac desktops and laptops. The one adjective that no longer describes Apple is "beleaguered."

While analysts don’t see the same kind of explosive growth for Apple this year, they still hope a few compelling new products and services will keep the company on a growth track.

I do believe Apple will deliver. My first clue was this week's pre-event announcement of a new MacPro tower and XServe, powered by 8-core Intel Xeon processors, offering 2.3 times the speed and raw horsepower as the dual, quad-core 3.0 Ghz machines being sold only a month ago. If they couldn't wait one week to announce this, it often indicates they have so many other things to show us, there simply wasn't room in the Keynote program to hold it all.

Below is a distillation of predictions, hopes, and wishes from the amassed Mac pundits and bloggers for Keynote 2008:

Movie rentals in iTunes—Fox and Disney are reported as already signed on and almost everybody wants the "One More Thing" to be—at long last—the entire Beatles collection, made available at the iTunes Music Store (iTMS). (If that happens, no one will be crying over the loss of Universal.)

Improvements to iPhone: A 16GB, 3G model, with no limits on cell service provider—we can certainly dream, can't we? Also rumored is an iPhone SDK (software development kit), which would mean that there would be a market for third-party software. We might even see a demo of 3rd-party apps—something developers were clamoring for most of last year.

Office 2008—slam-dunk #2, as Amazon is already taking pre-orders. I expect someone from Microsoft will make the official announcement during the Keynote. (I'll write more on Office later in the week, when I get to see it for real.)

Leopard 10.5.2—this is almost a slam-dunk, as the Developers Cut is already making the rounds. There are at least 75 fixes and feature additions in the works, and this would be a perfect time to announce their deployment.

New Cinema displays with touch-screen and built-in webcam—possibly 24-, 27- and 30-inch models, an upgrade that is long overdue.

Blu-ray drives in some Macs—a rumor that is growing some legs, now that Blu-Ray seems to be winning the format war, and there is going to be a growing need to handle HD content.

Ultraslim notebook/touch tablet—this is the biggest rumor to make the rounds, and highly likely: Apple fills out its laptop line with an ultra-thin notebook, running on flash memory instead of a hard drive, sporting a 12-13 inch touch screen, which could possibly fold over to become a tablet Mac.

Final Cut Studio update—not likely, but definitely overdue, considering the plethora of new digital camcorders that have hit the market

Apple TV "2.0"—look for a "reboot" of this product, with new features, more storage, and built-in compatibility with iTMS movie-rental.

If you are not attending this year, here is a link to sites offering live blogging of the Keynote (SFW). Stay tuned!

—Thomas A. Olson

Thomas Olson, the Publishing Systems Administrator for Consumer Reports' Editorial, Design, Production and Pre-Press groups, has been a Mac enthusiast since 1984.