Robert Vamosi

Illustration by Edel RodriguezIn December 2010, a group of nearly 3000 activists under the name “Operation Payback” launched online attacksagainst PayPal, MasterCard, and Visa, briefly knocking the three financial services’ sites offline and attempting to prevent consumers from accessing their online banking services. The activists retaliated against the three companies for severing ties with WikiLeaks, an online repository for whistleblower data that had recently included thousands of secret communications from the U.S. State Department and other world governmental agencies. Nine months later more than a dozen people--most between the ages of 19 and 24--were arrested in connection with these denial-of-service (DoS) attacks, even as new attacks were hitting corporate, military, and government sites worldwide.

A combination of hacking and social activism, hacktivism is defined as the use of digital tools in pursuit of political ends. The earliest example dates back to 1999, when the loose network known as Cult of the Dead Cow created “Hacktivismo,” an organization espousing that freedom of information was a basic human right. The group designed software to circumvent censorship controls on the Internet that some governments used to prevent citizens from seeing certain content.

Cybercriminals are always looking for easy ways to break into your network, whether at work or at home. In a talk at this summer's DefCon 19 conference, security researcher Deral Heiland demonstrated various ways to compromise Internet-ready consumer-grade multifunction printers. These include printers that can scan to a file, scan to email, and fax documents, and the vulnerabilities he found are similar across all vendors.

If you haven't taken the time to access the administration control panel webpage for your printer and change its default passwords, do so now. Unfortunately, that will only slow down a very persistent criminal.

Your personal data is out there. Every thought you tap out on Twitter, every status update you post on Facebook, and even the last credit card purchase you made is accessible via the Internet.

Although you might be happy to give up such information online for immediate gain (whether it's convenience or fun), your perspective may change when a coveted job offer fails to come through five years from now, or when marketers pester you next week with cleverly scripted personal advertising.

You have to run a business, and that requires understanding what interests your customers. But you also want to do the right thing and protect your customers' privacy.

How do you walk that line when trying to mine information from the Web? Some data-mining shortcuts, such as scraping data off of social networking sites, are obvious options. But taking such measures can get you kicked off a site for violating its terms of service, or at the very least it will incur the wrath of your customers.

The malware threat landscape is ever-evolving, with thousands upon thousands of new pieces of malware each year, and with cybercriminals developing new attack methods. As such, security products--and our security testing methods--must evolve too.

When reviewing security suites and antivirus software, PCWorld works with AV-Test, a respected security testing lab based in Germany. AV-Test looks at various aspects of a security product's ability to detect and block malware, including its ability to stop both known and unknown threats.

It's no longer enough for antivirus software to scan files on your PC. You need someone looking over your shoulder and telling you whether it's safe to click that link; whether the popup for that software update is legitimate; and whether that download from your favorite social network is actually a tool created by organized criminals for stealing your personal information. You need an all-in-one Internet security suite capable of identifying, blocking, and cleaning up after a wide array of malware.

Artwork: Diego AguirreYou're in a restaurant, enjoying a deep conversation. Peripherally, you see the waiter take your credit card and return a few minutes with a slip for you to sign. You think nothing of it until a few hours later when you receive a call from your bank: Someone is racking up serious debt on your credit card, mostly for electronics purchases. Is it you?

Skimming, a form of high-tech financial fraud, is on the rise worldwide. It relies on sophisticated data-reading electronics to copy the magnetic stripe information from your credit card or debit card. It can capture both your credit card number and your PIN. And it's happening not just at restaurants but at neighborhood gas pumps and ATM machines.

Illustration by Stuart BradfordThe moment is special: Your kid just learned how to ride a bike without training wheels. So you fire up your iPhone's camera, snap a photograph, upload the image to TwitPic, and share the evidence of your child's triumph via Twitter.

When you post the picture, a subset of the 75 million Twitter users will know the exact location of you and your child. Digital photos automatically store a wealth of information--known as EXIF data--produced by the camera. Most of the data is harmless, but as Mayhemic Labs' Ben Jackson noted at the Next HOPE security conference in New York last July, about 3 percent of all photos posted on Twitter contain location data, and that figure is growing. Anyone on the Web who can read the data knows where the photographer was standing. And arguably this is a gross invasion of personal privacy.

Illustration by Jashar AwanUntil early June, AT&T had an online tool that helped iPad 3G owners sign up for its mobile Wi-Fi service: Users typed in the 19-digit serial number for their iPad's micro-SIM card, also known as the ICC-ID (integrated circuit card identifier), and the site returned the e-mail address that the owner had used to verify registration. AT&T used that e-mail address to populate a log-in field on the Web registration form.

A group of researchers called Goatse Security spotted a flaw in this tool, and created a script that randomly generated and submitted ICC-ID numbers to the site. They got back over 114,000 e-mail addresses, including those of White House Chief of Staff Rahm Emanuel, New York Mayor Michael Bloomberg, and other high-profile iPad owners. Goatse Security did not contact AT&T first, but they did wait until the company changed the site before providing the e-mail addresses and serial numbers to a Gawker.com editor, who then disclosed the flaw.

Illustration by Mark ToddIn May, Web security consultant George Deglin discovered a cross-site scripting (XSS) exploit that involved Facebook's controversial Instant Personalization feature. The exploit ran on Yelp, one of the three sites that Facebook had selected to test Instant Personalization. Deglin was able to obtain not only Facebook profile information shared with Yelp but also the e-mail addresses for that profile's Facebook friends--a potential gold mine for marketers and spammers alike.

Shortly after Deglin's XSS flaw was fixed, another one surfaced on Yelp, and Facebook temporarily suspended the Instant Personalization program on that site.

Imagine sitting in a café and discussing the details of a business proposal with a potential client. Neither you nor the client has a laptop; you're just two people having a conversation. But unbeknownst to you, someone half a world away is listening to every word you say. Later, as you leave, you receive a text message referring to the proposal and demanding money in exchange for silence.

Illustration: Andy PottsRecent research from two universities suggests that such a remote-eavesdropping scenario may soon be possible.

The year 2009 was a bad one for PC security: Online attackers created more malware last year than in the previous 20 years combined. Clearly, this means that in the realm of computer security, the rules have changed, and you can no longer rely solely on traditional definition-based antivirus software and firewalls to protect your PC. Instead, to meet this new breed of threats, you need a new breed of security.

Over the past few years, security suites have been improving, thanks both to the enhancement of traditional detection methods and to the addition of behavioral analysis. The latter technology detects malware based exclusively on how it acts on your PC--a good way of catching threats so new that security vendors haven't yet made definitions to identify them.