It turns out the guy in charge of fighting online crime was nearly conned by online criminals: Mueller told a San Francisco audience today that he once began entering his personal information into a scammer's Web form in response to what appeared a "perfectly legitimate" email from his bank, The Register reports. Then, after being asked for his password, Mueller realized he'd made a huge mistake and changed all his passwords and eventually turned to his wife, and was like, ha ha, "teachable moment."

But she replied: "It is not my teachable moment. However, it is our money. No more internet banking for you!"

The point is, stop trying to use the internet for any sort of important business, people, because if Robert Mueller can't figure this crazy thing out, who can? Other than hackers, terrorists, children, and most humans outside of U.S. banks, credit card companies and the federal government?

The maker of one password tool estimates it can crack 55 to 65 percent of passwords out there — and that's not even particularly impressive, says security writer Bruce Schneier in an in-depth look at picking a secure password. You won't read that, so here's a very short guide. Summary: Use a password manager, don't use words from the dictionary, don't use the same password on every site.

And try not to be the Hotmail user who picked the reasonably secure password "lafaroleratropezoooooooooooooo," only to then go and enter it in a stupid phishing website.

(Pic: by zakwitnij on Flickr)

The ongoing denial of service attack against U.S. government websites is nothing if not ambitious, you see, and what it lacks in sophistication it makes up for with what an Yank might call "moxie."

According to reports from IDG and AP, someone is launching what may be the biggest distributed Web attack yet, consuming at one point 20-40 gigbytes/second worth of bandwidth. And instead of just concentrating that power, the attacker is going after basically everything, including

• the Secret Service,
  
• the Department of Homeland Security,
  
• the Department of State,
  
• the White House,
  
• the National Security Agency,
  
• the Department of Defense,
  
• the Federal Trade Commission,
  
• the Department of Transportation,
  
• the Treasury Department,
  
• the Federal Aviation Administration
  
• and, who knows, probably the Park Service too.

As one researcher told ComputerWorld,

Who goes around targeting a site like the FAA or the U.S. Treasury? It's not something that most people would think to attack.

Ah, but every American success story must start somewhere. Using computers mainly based in Korea, but not necessarily controlled from there, the attacker successfully knocked out the FTC website for a day or two. Just imagine what our country would look like if our financial regulators were out to lunch much longer than that!

(Pic via)

How Koobface works: A Facebook user gets a message from a friend telling them to view a clip, with a subject line like, "You look so amazing funny on our new video." Unbeknownst to the recipient, the friend's computer has been infected, and the virus has commandeered their Facebook account. After clicking the link, the user gets a message saying Adobe Flash needs to be updated. Instead of a Flash update, the Koobface virus gets downloaded, and the infection spreads. Koobface then commandeers not just Facebook accounts but online-banking logins, credit-card numbers, and the like, profiting criminal gangs.

Variants of Koobface have been reported since August, when it struck MySpace. MySpace's anything-goes website proved more vulnerable than Facebook; profile messages are littered with spam, so it was easy for Koobface to commandeer accounts and leave messages which pointed people to websites which could infect their PCs. Facebook was also affected, but the infection was quickly controlled.

It's not entirely clear why this Koobface outbreak hit critical mass. But enough has changed since August that it's not entirely surprising. Facebook itself is partly to blame. Facebook PR has been touting increasing viewing of video on the site. That behavior was exploited by virus writers' use of a clip as a lure. Facebook's growing user base — more than 120 million, at last count — makes for an attractive target, and more fertile ground for a computer infection to spread.

But I think it goes deeper. The very premise of Facebook is the viral spread of ideas among networks of friends. When a friend joins a group, shares a news story, or watches a clip, you get a message in your news feed. Facebook's hoping to profit from this behavior by helping advertisers spread these stories faster. The real problem with Koobface isn't that it's doing something Facebook disapproves of — it's that Facebook's not getting a cut.

Some people viewing YouTube videos have gotten an alert saying antivirus software has detected a computer virus called Actns/Swif.T. That virus is real enough; it redirects people to a website which then installs a piece of hostile software deceivingly called Antivirus 2009. The software is actually spyware, and notoriously annoying to remove.

But YouTube is not actually infected with a virus, it turns out. Instead, out-of-date antivirus software is mislabeling YouTube clips as a threat.

Panic over, right? No. The video format YouTube uses, Flash, has proven insecure before. YouTube processes users' video files and generates its own Flash files, so it's unlikely that YouTube would host hostile code — but never say never. As people spend more time on video sites and social networks like MySpace and Facebook, they increasingly become targets for virus creators.

The bigger problem here is figuring out whom to trust. Outdated virus-detection software, or the websites they're labeling as dangerous? Blogs which report new viral threats, or the ones that debunk them? Software which labels itself "Antivirus" but actually infects your computer? We're going deep down the rabbit hole, and I don't think Keanu Reeves is waiting for us on the other end.

The range of complaints suggests the people behind the Adele charges have gotten their hands on a sizable database of credit cards. Large-scale hacks have happened before; the worst was in 2005, when hackers obtained a file of 40 million card numbers from CardSystems, a credit-card processor. While most consumers worry about shopping with Internet retailers, online card databases are rarely the problem. Last year, insecure cash registers at TJ Maxx and Marshalls stores exposed 45.7 million cards.

Microsoft has tried to combat the problem by building a variety of safeguards into its operating systems and its Internet Explorer browser, with mixed success. The User Account Control feature of Windows Vista, which popped up an endless stream of warnings that irritated users, proved to be one of the key factors in the poor reception for Vista. Last week in Los Angeles, the company said it had entirely reworked the user interface of its new Windows 7 operating system to minimize user frustration.

A zero-day patch is a security alert that's been issued for some major, Internet-threatening bug, one that's so serious that they give people zero days of warning. It means the bad guys know about it. It's so bad that it needs to be fixed right away, I get that. But do you think IT departments are staffed for one zero-day patch over another?

Of course not. Your infrastructure doesn't scale, but who cares? And why pay for all that automation? We have people here. Or in Bangalore, or somewhere. But when an operation takes 10 minutes per machine, multiplied by hundreds of servers and thousands of workstations for millions of customers ... well, I'll get complaints about the overtime charges, but my managers already told me they didn't want to pay to configure the automated solution. See? I can't win, even if Arista replaces every Cisco box on the network.

The bright side: This morning, I worried I'd be out of a job by noon. Thanks to Microsoft, I now have another life-or-death upgrade to install. I'll do it this weekend. I may not have a family life, but I have a job.

I happened to be in Tel Aviv when Tenenbaum turned himself in to Israeli authorities on the day he was set to report for compulsory military service — he was treated as something of a national hero, a symbol of Israel's technology prowess, with even then Prime Minister Bibi Netanyahu praising him as "damn good." Tenenbaum ended up with probation and community service instead of jail time. So it wasn't with much surprise when I read Tenenbaum's mother calling the arrest a frame-up by the FBI.

The truth? The prepaid credit card scam described is a classic modus operandi in Canadian tweaker circles, at least as described in Zero Day Threat. And Tenenbaum certainly had to chops to pull it off, with the cast of fellow suspects who've been released probably participating as mules to make transactions. So once again, I'm betting Canadian dollars to donuts from Tim Horton's on meth.

This much is easy to understand: Sending 100 friends a link to your company's site is spam by any reasonable person's definition, whether you think it's "efficient" or not. Facebook has to crack down on such behavior because its users are getting sick of a surfeit of irrelevant messages, whether they're from friends or advertisers. Web security firm Cloudmark says 37 percent of Facebook users have noticed an uptick in spam over the past six months. What's more, Facebook is dealing with an increasing barrage of worms, viruses, phishing scams, as well as security threats for which researchers haven't invented suitably scary jargon yet.

Sarah Palin never thought of herself as an investigator. Yet there she was, hacking uncomfortably into Randy Ruedrich's computer, looking for evidence that the state Republican Party boss had broken the state ethics law while a member of the Alaska Oil & Gas Conservation Commission.

The next week, when Palin went back to work at the AOGCC, she noticed that Ruedrich had removed his pictures from the walls and the personal effects from his desk. But as she and an AOGCC technician worked their way around his computer password at the behest of an assistant attorney general in Fairbanks, they found his cleanup had not extended to his electronic files.

The technician "said it looked like he tried to delete this, but she knew a way to go around and get some of the deleted stuff," Palin said in an interview. "I didn't know what I was looking for, but I was there."

Palin found dozens of e-mail messages and documents stacked up in trash folders, many showing work Ruedrich had been doing for the Republican Party and others showing how closely he worked with at least one company he was supposed to be regulating.

According to a fresh eWeek report:

By rejecting the appeal, the human rights court paved the way for McKinnon to come to the United States, where he faces up to 70 years if convicted. He is accused of hacking his way into computers at the Pentagon, NASA and the U.S. Army and Navy in 2001 and 2002, causing a reported $700,000 worth of damage.

Attorney Karen Todner, who is representing McKinnon, said her client would now appeal to Home Secretary Jacqui Smith to try to persuade her to reconsider an earlier decision and prosecute her client in the United Kingdom.

"Failing that he will be extradited...probably within the next three weeks," Todner added.

She said her client had recently been diagnosed with Asperger's Syndrome and hoped Smith would take this information into account. McKinnon told Reuters in 2006 he was just a computer nerd who wanted to find out whether aliens really existed and became obsessed with trawling large military networks for proof.

His lawyers have argued that sending him to the United States would breach his human rights because he could be prosecuted on account of his nationality or political opinions.

Not surprisingly, McKinnon has a lot of support among technical people:

Graham Cluley, senior technology consultant with Sophos, said a poll of IT professionals conducted in 2006 found that more than half were against extraditing him, mostly because they did not feel he had malicious intent.

“There is a feeling in much of the IT community that McKinnon is being treated as a scapegoat by the U.S. authorities, that because he was arrested shortly after 9/11 that the U.S. agencies felt that they had to send out a strong message that hacking was not going to be tolerated."

(Photo by AP/Lefteris Pitarakis)

The solution to the problem is the same one you would use for your grandma who refuses to get off of her 56K connection. Pack a free version of AVG and their update files onto a flash drive and talk them through the installation and cleaning process. Don't forget the part where they owe you a beer or dinner for helping them out. You have plenty of time to plan — the next supply run is due to leave on or about November 10 from Launch Pad 39A at Kennedy Space Center.

(Virus-protein image by Allen Portner and Gopal Murti)

If you need the joke explained, Moskovitz is making fun of a common tactic used by hackers: Sending fake messages which appear to come from an authority, in an effort to get people to give up their passwords. But he's got a backhanded point. If Facebook insists on using its own software to make major announcements, a fake Mark Zuckerberg has a decent chance of fooling a lot of the people, a lot of the time.