Banks knocked offline, day after day - on Thursday, it was WellsFargo.com's turn. A digital skirmish between two European firms that grew so large it slowed Internet traffic worldwide. If it feels like the Net has been fragile lately, there’s a good reason: Computer criminals are launching more powerful attacks and are gaining the upper hand.

Security firms have been relatively successful in recent years countering denial of service attacks — criminal assaults that overwhelm websites with fake traffic to make them unreachable, the equivalent of speed-dialing a friend's phone repeatedly so no other calls can get through — with software designed to separate real traffic from fake, or simply by purchasing bigger Internet pipes that can absorb the requests.

But the equation is changing dramatically as criminals have learned how to use the Internet against itself.

Among the Web’s dirty little secrets: Economics strongly favor the criminals. They hijack bandwidth used for normal Web operations, concentrate it and aim it at a target. The more money that firms invest in bandwidth to protect against traffic floods, the more bandwidth crooks can steal and use to attack. Worse yet, the bigger the pipes going into hijacked computers, the fewer computers criminals must control to succeed in an attack. 

---

An attack that might have required 10,000 compromised computers in past years can now be accomplished with 100. That means the costs for the criminals is going down, while security costs are going up. 

"The problem is, this is an asymmetric war, an arms race we can't win because they are using our resources against us," said Rodney Joffe, senior technologist at Internet infrastructure company Neustar, which helps companies fight denial of service attacks. "That's why building larger highways won't help. They just make use of our resources."

Wells Fargo told NBC News that some of those resources were used to knock it offline for part of the day Thursday.
“We’re seen an unusually high volume of website and mobile traffic which we believe is a denial of service attack,” the firm said in a statement.

'Not really much we can do'
Last week, a European denial of service incident that targeted spam-fighting organization Spamhaus and its Internet providers involved an incredibly focused attack that stormed the service with one of the largest measured attacks in history. There is debate about how much the rest of the Internet suffered as a result of the attack — in truth, the impact was imperceptible to most — but it would be a mistake to overlook it.  Experts expect copycats soon.

The Spamhaus attack used a technique that’s more than 10 years old. Domain name servers that run the guts of the Internet were tricked into sending a flood of traffic at Spamhaus. Hijacked computers with disguised, or spoofed, return addresses asked the DNS servers for long lists of data — specifically, to resolve website addresses — which were reflected and sent by the servers to Spamhaus servers.  Exploiting about 1,000 misconfigured DNS servers was enough to generate a record-sized attack. A group devoted to fixing such misconfigured machines says there are 25 million of them on the Web, ready to be exploited.

DNS attacks haven’t been top priority in recent years, partly because servers didn't need large amounts of bandwidth to do their relatively simple everyday tasks of matching numerical Internet addresses with common website names. Today, many are linked with high-capacity pipes, making them newly attractive takeover targets for hackers.

The bank attacks work differently. The group behind them — which calls itself al Qassam — uses an army of thousands of compromised computers called a botnet in coordinated actions to attack banks.  But al Qassam holds an advantage: A single compromised home PC, connected to the Internet with high bandwidth, can generate 100 times the malicious traffic as a similar computer five or 10 years ago.

"There's not really much we can do about that," said Michael Smith, director of the customer security incident response team at Akamai Technologies Inc., which provides website performance optimization and security for some of the companies targeted in the attacks. "Speeds are going to get faster."

Changing tires on a moving bus
Aaron Rudger, a spokesman for Internet traffic measurement firm Keynote, notes that denial of service attacks rarely escalate beyond a major annoyance for companies or consumers. Traffic after the Spamhaus attack was back to normal within a few hours as packets found other routes to their destinations.  Consumers who need access to their bank accounts can use the telephone, or in some cases, even mobile phone apps when a bank’s website is down.

“You can't really kill the Internet,” Rudger said. "The Internet in general is inherently very resilient.”

There are ways to fix the denial of service attack problem, but they are expensive and would require fundamentally changing the protocols that govern the way the Internet works. And it would all have to happen without interrupting Internet service.

“It’s akin to changing the tires on a bus moving 60 mph,” Joffe said. “We have to rethink the entire thing.” Proposed new rules would make it impossible to use fake return addresses, for example, but Internet service providers around the globe would have to agree to the changes.

Avivah Litan, a banking security analyst with consultancy Gartner Group, said that an even more radical change might be necessary, because there’s really no way to get rid of the criminals.

“We might have to put the banks on a private Internet,” she said. “Because we are not going to get rid of the people attacking the banks ... You might think the only way it's going to end is if we take them down, but they are like Al Qaeda, totally distributed. In fact they are 1,000 times more distributed.”

Follow Bob Sullivan on Facebook or Twitter.

Related:

• Cyberattack on banks signal urgent need for security bill, lawmakers say
• Bank website attacks reach new high: 249 hours offline in past six weeks

In the ugly battle of Web users vs. insurance companies, a lot of blood was spilled this week.

We've known for a while that hell hath no fury like an Internet user scorned. But at the intersection of social media, consumer frustration, anxious lawyers and heavy-handed regulations you'll find a particularly tricky corner of the Web. Insurance firms, which have always been a magnet for complaints anyway, lie at precisely this crossroads.  

Increased competition has led insurers to employ high-profile marketing gimmicks, like geckos or touchdown dances, in an effort to become household names with friendly reputations. That means it's become necessary for them to establish a social media presence. Progressive's "Flo" character, for instance, has her own Facebook page, with hundreds of thousands of fans. But inviting social dialogue sometimes means inviting trouble, as Flo and her handlers found out the hard way this week.

---

Progressive encountered a Twitter revolt after the family of a woman killed in a car crash wrote a blog post criticizing the way the firm fought to avoid paying a claim. The post went viral, and the insurance giant then compounded its problems by spitting out automated tweets in response.

Experts who talked about the incident this week said Progressive fell into a trap that often catches large companies as they stumble around the social media world.

"The original response sounded genuine," said Jason Falls, a digital marketing consultant who helped health care firm Humana set up its social media program. "But the fact that they auto-responded the same statement to multiple people showed it was just a copy-and-paste job. More often than not, when that happens, it's not the technology that's to blame. You can blame it on the legal and compliance teams saying, 'You can say this and only this.' It makes you look cold and insensitive."

Both sides have willingly joined the insured-vs-insurers Internet fight. Insurance firms increasingly use the Web as a weapon against fraud, while consumers band together to demand better service, or to appeal denials of coverage. Both can claim victories. There are plenty of stories of insurance investigators who catch disability recipients bragging about completing triathlons on their Facebook pages or tweeting about a great trip to Paris while claiming depression. Meanwhile, earlier this month, a social media firestorm caused Aetna to back down and agree to cover colon cancer treatment costs for an Arizona patient who'd already exceeded his lifetime cap. A flurry of angry tweets really can make a big company reverse course.

'Shame on you'
Fall said he's used to seeing nasty comments pile up on insurance company blogs, Facebook pages and in Twitter feeds.

"It does make me cringe, but I also think it comes with the territory," he said.

It doesn't take long to find cringe-worthy comments on insurance company social media sites. Even days after the initial Progressive firestorm, comments left on Progressive's otherwise happy "Flo the Progressive Girl" Facebook page were dominated by vitriol: "Shame on you," says one. "Has Flo ever wondered why Progressive tries to get killers off the hook?" says another. Many writers called on the actress who plays Flo to quit.

Flo's hardly alone, however. When American Medical News did a survey of health insurance Twitter accounts last year, it found a never-ending stream of complaints:

*"Dear Cigna: How about, for the new year, you do something radical - like processing claims without 500 phone calls from me?"

* "Dear Humana, you've ruined my day. Worse, my wife's day. Way to CYA. I'm paying you to cover mine."

*"@Anthemhealth, so far u didn't send me my ID cards … kept me on hold for 25 mins and ur site isn't lettng me register. Nice service."

Insurance, necessarily, involves rejection. When you are in the business of frequently disappointing people, and making sure your rejections are lawsuit-proof, it's nearly impossible to run a free-spirited social media shop. Rachel Poor, who runs the social media marketing firm Thread Communications, said all heavily regulated industries face the Progressive dilemma.

"I think social media is still a sort of an enigma (to them). They all want to be there, they are told they should be there, but these companies are not used to people talking back to them in such a public forum," she said. "Ultimately, I think it will require insurance agencies to change the way they do business.”

Greg Matthews, a director at social media consulting agency WCG in Austin, said insurance companies often have to go into a Twitter or Facebook fight with one hand tied behind their backs.

"Particularly in health care or financial services, there are privacy-related issues that you just can't discuss," he said. For example, if a patient complains about an uncovered medical procedure, the insurance company can't publicly talk about the patient. "People want you to be transparent and authentic all the time, but you just can't. ... It can be terribly frustrating.”

Falls said companies he works with expect the occasional public flogging after turning on a Twitter account, and they manage to survive by planning ahead.

"The thing I've tried to do with any client opening up its customer service channels -- you have to have a crisis communications plan mixed with a customer service plan," he said.  "You have to anticipate what will happen. ... Companies that dive in without a plan of attack for those situations are finding it difficult."

No stiff upper lip?
Automatic and formulaic responses have gotten many companies through old-fashioned media crises, Falls said. For example, journalists are often tolerant of canned answers, he noted -- but they typically don't fly on social media. If a Twitter response doesn't sound like it's written by a real person in response to a real person, the company is likely going to take a hit to its reputation. On the other hand, when million-dollar settlements might be at stake, no insurance company lawyer is going to be comfortable with a social media employee free-lancing responses. So Falls suggests a middle path.

"You have to have a lawyer on staff who can be on call and help your social media team craft communications in crisis situations," he said. "When you have a big publicity problem, you have your legal team working hand-in-hand with PR. Why wouldn't you do the same thing in the social media world?"

In general, he recommends that firms post a detailed, formal response on a website, and instruct their social media writers to tweet or post links to it, while adding personal notes separately. 

There are challenges, however: Many lawyers and companies don't have the stiff upper lip needed to ride out a social media crisis.

"Any industry that's heavily regulated will always have a layer of legal and compliance teams that have to be trained, and have to buy in," he said. "It can be done with the right legal team. But if you have a team that constantly says ‘no,’ it'll never work."

Matthews said effective social media must also be fast, and that's often unfamiliar territory for insurance firms.

"It means really changing processes that companies use. Rather than convening the executive committee for two days to make a decision about things, boil it down to the two or three people who can actually make a decision in hours and not days," he said.

It also means knowing who the influencers are in certain topics ahead of time, and planning to engage those people immediately when a crisis hits.

"It's not that hard to know these days who are the folks likely to be influential in this conversation," Matthews said. "You know what the top 10 issues that you might face are, and you know who is likely to be the most influential when those stories break, the people who might take your side or be opposed. ... Ask yourself how do you engage them. What is the content you can bring to bear that articulates your position rather than letting the public run wild. You can never control the conversation, but you can make sure your side is heard."

Finally, and most important, companies have to actually deliver on their promises, perhaps in a way they never have before, Matthews said. If a Twitter user complains and is asked to call customer service by a social media worker, that customer service experience had better be positive, Matthews warns. Otherwise, the angry consumer will have heavy new ammunition for waging a social media war.

"It really helps you find your skeletons in the closet," he said. "You have to have a mindset that you are grateful your customers are telling you what you are doing wrong, and you have the opportunity a chance to fix it. I know a lot of companies, maybe most companies, don’t feel that way, but that’s the only way to be successful in social media.”

* Follow Bob Sullivan on Facebook.
* Follow Bob Sullivan on Twitter. 

It sounds like one of those crazy rumors you get in an e-mail from a friend: "Did you hear? They're going to tax the Internet!" Only this time, it's true.

The days of tax-free shopping are quickly drawing to a close for all except those willing to drive to places like Delaware or Oregon. A two-front assault on Web shoppers is in full force — Congress is considering legislation that would pave the way for states to force sales tax on point-and-click shoppers, and Amazon.com is making numerous one-off deals with individual states, where it will be collecting taxes no matter what Congress does. Together, these two developments make an Internet sales tax all but inevitable.

For years, brick-and-mortar stores were at an incredible disadvantage to online retailers that could offer tax-free shopping. If you are a fair-minded person, it's hard to muster an argument that this situation — in which online shoppers enjoy a 5 percent to 10 percent "discount" because they point and click instead of drive or walk — was anything but unfair. 

On the other hand, despite all the word games being played by all the interested parties — the Senate version of the legislation is called the "Marketplace Fairness Act" — there is only one way to describe why your online shopping bill is about to go up: a new tax.

---

The National Conference of State Legislatures says states stand to gain $23 billion in new revenue when online sales tax collection kicks in. That's $23 billion the states weren't collecting before, and $23 billion you weren't paying before. Texas and New York residents will pay about $1.8 billion more; Californians, $4.2 billion. That's real money.

To boil it down, Forrester Research says the average U.S. online shopper will soon spend $1,700 annually — so the changes will cost each one about $125 every year. 

That's $125 in new taxes you’ll be paying. It's $23 billion our state governments will have to spend that they currently don't have. Of course, very few are willing to say the "T" word out loud. George H.W. Bush learned that lesson for every future politician when his "no new taxes" pledge ended up defining his career. So you won’t hear supporters admitting it’s a tax.

"It's not a tax issue. It's a collection issue," David French of the National Retail Federation told me. He's senior vice president of government relations at the federation, which supports the legislation. French is right, strictly speaking. You probably know that consumers who don't pay sales tax when they buy a TV on Amazon.com are supposed to pay a "use tax" later to their own state governments. And you probably also know that almost no one does that. In the sparse data on use tax you'll find, you'll see a 2009 study that shows that 0.3 percent of California residents reported use tax on their income tax filing. Maine, by the way, wins the crown for most honest taxpayers, with 9.8 percent paying use tax that year. 

"I don't want to say they are breaking the law, but I will say they are avoiding application of the law," said French.

So strictly speaking, the states would simply be getting better at collecting that which they are already owed.

"Americans want to see that the taxes that are due are paid before anyone's taxes are increased," French said.

Inevitable
I'll invite you, readers, to come up with your own analogies, but here's mine: If tomorrow, every state in the nation hired a bunch of new state troopers and began giving out speeding tickets to everyone driving 56 mph in a 55-mph zone, I'd call that a new tax. When everyone has done something for years without sanction, it's no longer illegal. Suddenly enforcing an unenforced law is the same as passing a new law; suddenly enforcing an unenforced tax is a new tax.

It's a testament to our tortured relationship with governing that such a straightforward debate leads to such intense obfuscation. One Net sales tax supporter I spoke with on background started to say, "People agree that everyone should pay their fair share," but then caught himself, fearing he had just made an enormous verbal gaffe. Talking about "fair share" triggers an entirely different debate, he feared. One reason the U.S. is floundering is our inability to even speak clearly to one another, so laced with vitriol is our marketplace of ideas.

So I'll speak plainly: It's a new tax — you'll be paying more to the government than you do today — unless governors who institute the tax agree to cut some other tax by an equal amount. Perhaps they could lower the overall sales tax rate by a fraction of a percentage point so the Internet sales tax is really a neutral event on consumers? Unless your state does something like that, don't let your politicians get away with campaign claims that taxes haven't been raised.

The real question, of course, isn't about the word "tax." The real question is: Is an Internet sales tax fair? On that issue, there's just no argument. If there's a sales tax, there's no reason online shoppers should be exempt.

"If it were up to retailers, we would abolish sales tax," French said. But since it has to be collected, it should be applied equally to all retailers, he argues. The legislation "corrects a discriminatory treatment of some retailers over others."

The federal Net sales tax law has gained a lot of momentum. At a Senate hearing Wednesday and a House hearing last month, there was surprisingly little pushback. Sen. Jim DeMint, R-S.C., leads the opposition and wrote an op-ed piece in The Wall Street Journal on Wednesday making the federalism case — he argued that e-commerce firms in California shouldn't have to obey out-of-state laws. The argument rings pretty hollow in our ever-connected world. 

Meanwhile, even some Republicans with sterling conservative reputations — like New Jersey Gov. Chris Christie — have come out in support of the Marketplace Fairness Act. Still, it almost certainly won't pass during this election season. There are only a couple of days of legislating remaining before Congress enters full-time campaign mode, and I promise that no one will campaign on an Internet sales tax platform. 

No matter. Amazon is taking all the anxiety out of the political conversation, anyway. It is slowly adding sales taxes to shoppers' purchases around the country — Texans just started paying when they check out at Amazon.com; in September, California residents will, too. (Amazon, as explained in detail here, is willing to give up its sales tax advantage because it plans to build distribution centers around the country in an effort to offer same-day shipping and slay brick and mortar shoppers that way.) 

Ten states in all will be taxed by next year. By then, so much of America will be used to paying sales at the world's largest Internet retailer that it will hard to muster opposition to a federal Internet sales tax law. And French believes both Mitt Romney, a former governor, and Barack Obama would sign a law passed by Congress.

In other words, it seems inevitable: You're going to pay more to shop online. If you don't like it, don't fight the Internet sales tax – fight your state's sales tax policies. An Internet sales tax is only fair.

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter.

Nearly one in six convicted sex offenders is using sophisticated techniques invented by identity thieves to avoid their legally mandated registration requirements, a new study has found. These digital absconders might be able to avoid post-incarceration restrictions by living near schools and playgrounds, and could possibly gain employment working with children.

The study, conducted by Utica College and funded by the U.S. Justice Department, estimates that roughly 92,000 of the 570,000 registered sex offenders across the country are systematically manipulating their names, birthdays, Social Security numbers and other personal identifiers so they can live as they want while appearing to satisfy court-imposed or statutory restrictions.

"These are offenders who are flying under the radar and authorities don't know it," said Don Rebovich, the Utica professor who directed the study. "The authorities really don’t have the resources to keep on checking on these people. Offenders find where the vulnerabilities are in the system and exploit them."

---

These digital absconders create two obvious problems. Communities expend energy and resources dealing with offenders who aren't really there -- local police knock on doors and send notices to warn neighbors; public listings are published on the Internet. And sex offenders live where they please as normal adults, without any protective measures kicking in.

"In the worst-case scenario, by thwarting registration requirements, they could potentially have easier access to children," said Staca Shehan, director of case analysis at the Center for Missing and Exploited Children, who is familiar with the study. "(In) those jurisdictions that have residency restrictions that would not allow (offenders) to live within distance of a school, daycare or park, (they) could avoid that type of requirement."

While the study found that an average of 16.2 percent of sex offenders manipulate their identities nationally, some states fared worse: Louisiana, Washington, D.C., Nevada, Tennessee and Delaware all had digital absconder rates of higher than 25 percent.

Officials in Tennessee, Nevada and Delaware challenged the study's conclusions and complained that they had not been contacted by the researchers for additional information that might have clarified the results; officials in the other states did not immediately respond to requests for comment.

'Strategic' manipulation
Shehan said there are generally two kinds of sex offender absconders: those who simply fail to keep their records current, and hope they fall through the cracks; and those who are more systematic in their evasion, intentionally altering their identities so they can circumvent the restrictions. 

"That takes a lot more thought," she said. "They are much more strategic about what they are doing ... and so that's much more concerning."

In one celebrated case of sex offender identity manipulation, a convict named Frank Kuni changed his name to Jamie Shepard and was able to get a job as a U.S. Census worker in New Jersey. Kuni was recognized by a mom after he knocked on the door of her Pennsauken home, and he was later sentenced to three years in prison. Kuni’s case attracted national headlines because of the fear it created surrounding temporary Census workers.

The Utica study, believed to be the first attempt to quantify these more strategic absconders, was conducted by Utica College's Center for Identity Management, set up to examine a variety of identity issues in the digital age. Rebovich is director of the center.

It's well known that some sex offenders neglect their registration requirements, dropping off the grid and accepting only cash-paying jobs to remain hidden. But the Utica study found something more subtle, and perhaps more disturbing -- sex offenders who appear to be satisfying their registration requirements while living a digital double life.

In a parallel survey of 223 law enforcement agencies from 46 states, Utica found that awareness of ID-theft style registry evasion was low -- only 5 percent of respondents said they knew of an identity manipulation case within their jurisdiction. 

And nearly 40 percent of the agencies responded that they had zero absconders, suggesting some law enforcement agencies are unaware of the problem.

The power of the Utica study lies in the use of sophisticated algorithms developed by private firm ID Analytics, a fraud-fighting company used by many large banks and other financial institutions. ID Analytics receives more than 1 billion credit applications and other credit-related events from clients every year. It uses sophisticated software to track the behavior of identity thieves across the credit system, and can find fraud that individual firms miss. It knows, for example, if a criminal uses a systematic series of birthdays or addresses on a set of credit card applications at various banks in an attempt to evade fraud detection. The ID Analytics tool has enough data that it can generally tell the difference between honest typographical errors and systematic fraud attempts. 

ID Analytics ran sex offender data through its massive database of credit-related events, and found evidence of rampant identity manipulation among the offenders.

Kristin Helm, a spokeswoman for Tennessee's sex registry, challenged the study's findings, saying that fewer than 1 percent of that state's sex offenders are absconders. Criminals have always used false identities to try to evade police, but law enforcement systems are geared to handle that issue, she said. "Fingerprints obtained by law enforcement identify individuals regardless of a name or Social Security number," she said, adding that names sometimes change for legitimate reasons, too, such as marriage. 

But Stephen Coggeshall, chief technology officer for ID Analytics, said his technology is well-versed in screening out mundane reasons for identity changes and finding patterns that specifically indicate active evasion is taking place.

"This goes way beyond typos," he said. "These are people who have slightly adjusted or substantially adjusted their personally identifiable information for a reason. They are actively doing so, and we are observing them use these aliases relatively recently."

Nevada spokeswoman Julie Butler also questioned the validity of the study, which she had not seen. She said that Nevada uses fingerprints to track sex offenders, so identity manipulation techniques would be ineffective.

"Our registry is fingerprint-based. We don't base it on date of birth, or Social Security number, or name," Butler said. "They can put down their name as whatever and we still have them in the database."

But Coggeshall responded that even in states which use fingerprint identification, an identity manipulator would only be discovered when trying to engage in an activity – such as becoming an elementary school teacher – which triggers a fingerprint evaluation. 

"In general it doesn't help you track where they are or if they're living under an alias at an unregistered location," he said. "It can help to find sex offenders as they enroll in certain groups, but many … groups don't routinely fingerprint new enrollees."

SSNs connected to multiple people
Two years ago, using this tool on a database of Social Security numbers, ID Analytics found that rampant evidence of identity theft: 5 million SSNs were connected to three or more U.S. adults in credit applications, and 140,000 were associated with five or more people, indicating almost certain fraud. The tool can also track individual identity manipulators, as ID Analytics calls them, as they attempt various frauds across an array of credit issuers.

This tool was turned on the sex offender registry problem at the invitation of Utica College in Utica, N.Y., beginning last year. ID Analytics took a large sample -- nearly 100,000 -- of the 570,000 active registered sex offender records and ran them through its credit application database, looking for signs of manipulation.

The findings were disturbing. In Louisiana, the study found, nearly two-thirds of offenders' records showed signs of manipulation. Rebovich theorized that Louisiana's problem might stem from the aftermath of Hurricane Katrina, which gave some people a golden opportunity to drop off the grid.

Officials in Louisiana did not immediately respond to requests for comment.

In many cases, the study found, the steps criminals take are subtle -- changing an address from "440 Monroeville Road" to "434 Monroeville Road," for example. In fact, in the majority of cases, digital absconders were much more likely to move across town than across the country. Absconders who fake their address are six times more likely to remain in the same state than to cross state lines, the study found, and 90 percent of those who remain in state stay within 40 miles of their original registered address. In many cases, the data shows, those addresses belong to a family member. That might allow absconders to show up on a moment's notice at their registered address in case local police do a random check, Rebovich said.

But the address change could also allow them to apply for jobs and housing they would otherwise be unable to qualify for, he said.

While half of the manipulations involve bad addresses, plenty of other types of evasion are going on, the study found. One subject studied had five names, three Social Security numbers and four dates of birth, for example.

About 10,000 offenders had used at least four different Social Security numbers, Rebovich said. The evidence indicates this was usually done to evade the court registration requirements rather than commit financial identity theft, the study found.

One reason sex offenders seem to get away with evasion is that registration requirements are set by states and vary widely. In some states, convicts merely send updates through the U.S. mail to state officials, and are subjected to little, if any, verification. In others, officers try to check on sex offenders, but ofter are assigned hundreds, or even thousands of offenders, to track.

In other states, such as Florida, there are strict requirements and frequent random inspections, Rebovich said. That shows up in the data -- Florida's digital absconder rate is about half the national average, at 9.4 percent.

The study was funded by the Justice Department's Bureau of Justice Assistance, which plans on issuing a comprehensive report later this fall. Requests for comment from the Department of Justice went unanswered.

'System is never going to be perfect'
Shehan, of the Center for Missing and Exploited Children, said she didn't believe that the potentially high rate of digital absconders means the entire sex offender registry program is broken. In fact, she said the situation has improved since passage of the Child Safety and Protection Act of 2006, which instituted some national standards on offender registries.

Still, she said it's important that states move to biometric identifiers, such as fingerprints, to maintain more accurate records of offenders and their whereabouts.

"Criminals are constantly thinking of ways to beat the system," she said. "The system is never going to be perfect."

Rebovich is hoping the study will spur new methods for checking up on sex offenders, including techniques that would seem familiar to those who work in financial fraud. In a model developed by Utica and ID Analytics, offenders could be given a score, similar to a credit score, which would rate the likelihood that identity manipulation was occurring. 

"We are trying to develop a predictive model," he said. "So we can turn it into an alert system, so states can do this in real time, if they want to."  

Coggeshall said such an alert system would have helped police track down Frank Kuni before he was able to get a job with the Census Bureau.

"In retrospect, we know there are things we would have been able to observe" he said.

http://on.msnbc.com/topnewsemailsignup">Click here to sign up to receive our Top News email each day.

 *Follow Bob Sullivan on Facebook.

*Follow Bob Sullivan on Twitter.  

Has the U.S. government been caught with its virtual hands in the world's cookie jar? And might it lose control of the Internet as a consequence?

If you were among the forces on the planet wanting to wrest control of the Internet from the U.S.-friendly agencies that manage it, that's the story you'd surely want to tell. 

But things are rarely what they seem.  The barrage of Flame news – including word that Flame and Stuxnet appear to have common authorship -- should not be viewed in a vacuum.

---

A group of nations led by China, Russia and several Middle Eastern countries would love to see the end of U.S. dominance over the operational control of the Internet, and these nations think they have found their vehicle for accomplishing that: A U.N. body called the International Telecommunications Union.

 

The organization, which manages international telephony agreements, will meet in Dubai in December and attempt to extend its charter to take operational control of the Internet away from the U.S.-dominated nonprofit International Corporation for Assigned Names and Numbers, or ICANN. 

Even as news of Flame first hit, an ITU working group was meeting in Geneva to finalize the agenda for the Dubai meeting. At almost the same time, there was a hearing in an obscure congressional subcommittee where experts rang alarm bells about an ITU coup.

The argument that the U.S. should not be in a position of power as far as overseeing the Internet will be bolstered by a world set aflame by news that the U.S. may have exploited its technological advantage to attack sovereign nations with Flame and Stuxnet.

Some technology experts say the Dubai meeting could very well decide the direction of the world's most valuable resource - information - for the rest of the 21st century:   The future of Internet anonymity, free speech and perhaps freedom itself could be at stake.

"I think there is a political story that is being missed here," said Chris Bronk, a former State Department official who worked in that agency’s Office of eDiplomacy and is now a professor at Rice University. "There's much more to this. … Stuxnet was better than bombs in the short run, but this could hurt the U.S. down the road.”

Conspiracy theorists -- including several interviewed for this story who requested that their comments remain off the record -- point out that the world learned about Flame from a Moscow-based antivirus company (Kaspersky Labs), and the ITU chose Flame as the subject of its first-ever international cyber-warning, claiming for the first time an important role in cybersecurity affairs.  They see the grand publicity surrounding Flame as little more than a power grab by the ITU in advance of the Dubai meeting, dubbed the World Conference on International Telecommunications (WCIT).

“If you want to be cynical, this is definitely a play by an international group to try to gain control over arguably the world’s most valuable resource,” said Paul Rohmeyer, a Stevens Institute of Technology professor who specializes in cybersecurity and international issues, and one of the few members of the conspiracy camp willing to connect the dots publicly.

But you don't have to draw such a direct connection to see the relationship between Flame and ITU's desire to find and flex new power. Kaspersky Labs, the Russian firm that continues to publish the most informative details about Flame, has a solid reputation in the security research world, and there’s no reason to believe it is acting on behalf of Russian national interests. Still, it's impossible not to view Flame -- and recent revelations about Stuxnet -- without understanding the diplomatic backdrop.

“If I were advising Russia, I would be all over the place waving these stories around,” said Eneken Tikk, formerly the legal and policy advisor for NATOs Cooperative Cyber Defense Centre in Estonia.  “It seems like a great opportunity to increase pressure on talks around cyber threats to international peace and security and gather a coalition of potential victims to say, ‘We see the U.S. establishing itself on the Net in offensive way, we need an international umbrella to do something.’”

If the U.S. is guilty of escalating cyberwar by writing computer code that disabled critical Iranian computers, there is no question that forces around the globe will try to exploit the news to their own ends. While most analysts have focused on the potential that Flame invites other countries to counterattack the U.S. with similar cyber-bombs, the real threat might be the rationale it could provide for ending the free-flow of information around the Web.

“It's very concerning from a purely political standpoint. You can see why a group like ITU would be incentivized to release this news,” Rohmeyer said. “I’m guessing that's what they are trying to set up. They are building their case for internationalization. They have everything to gain and the established order, which is U.S.-based, has everything to lose.”

U.S. officials aren't blind to the threat; they've made very public warnings about it. In February, Federal Communications Commission member Robert McDowell wrote an op-ed piece in the Wall Street Journal where he criticized the ITU:

"The most lethal threat to Internet freedom may not come from a full frontal assault, but through insidious and seemingly innocuous expansions of intergovernmental powers," he wrote. "Scores of countries led by China, Russia, Iran, Saudi Arabia, and many others, have pushed for, as then-Russian Prime Minister Vladimir Putin said almost a year ago, 'international control of the Internet' through the ITU."

McDowell also testified before that congressional subcommittee on May 31, and warned that "pro-regulation" forces led by China and Russia are far more organized than U.S. allies.

"While precious time ticks away, the U.S. has not named a leader for the treaty negotiation," he said.

Some in Congress were even more blunt:

“If we're not vigilant, just might break the Internet," said Rep. Greg Walden, R-Ore.

The dire-sounding warnings aren't coming solely from U.S. government officials, either.  Even the so-called “father of the Internet,” Vint Cerf, expressed grave concern that day in Congress.

“(The Dubai meeting) holds profound—and I believe potentially hazardous— implications  for the future of the Internet and all of its users," he testified. "If all of us do not pay attention to what is going on, users worldwide will be at risk of losing the open and free Internet that has brought so much to so many.”

Nor is the alarm coming just from the U.S. Toomas Hendrik Ilves, president of Estonia, rang alarm bells on Friday during the International Conference on Cyber Conflict in Tallinn.

“The outcome of (the Dubai meeting), and related processes, will help determine the topography of the Web for the next two decades,” he said. “While this conference may fall into the domain of ministries of commerce and communications, make no mistake, there will be major cybersecurity ramifications. More ominously, we will face calls to limit free expression as we know it on the Web today.”

But as Western nations try to draw battle lines, the reality of Flame and Stuxnet muddies the argument considerably.  The U.S. risks losing moral high ground through stories about such cyberattacks.

"When we had plausible deniability for Stuxnet, we could make the argument more easily,” Bronk said. “This completely cuts at the knees the Internet freedom agenda.  How can the U.S. use clandestine cyberattack to go after a threatening regime, and then push the free agenda? "

As Rohmeyer sees it, the combination of U.S. cyberattacks and the Dubai meeting puts the Internet at “an age-old crossroads.”

What might change mean?
The ITU has its roots in an organization created during the 1860s to standardize cross-border telegraph traffic in Europe. It became a U.N. body after World War II, focused almost entirely on simplifying international telephony. Only recently has it tried to extend its charter to Internet traffic, most notably with the creation of an agency called The International Multilateral Partnership Against Cyber Threats, or IMPACT, based in Kuala Lumpur. Modeled after national computer emergency response teams, IMPACT’s stated mission is to share time-critical computer vulnerability and virus information around the globe. The U.S. has so far refused to join ITU’s IMPACT. Russia, China, Iran and about 140 other nations are members.  

IMPACT tried to take the lead in international dissemination of information about Flame, using the virus as cause for its first-ever warning.

How might ITU change the way the Internet works? No one knows, of course, but there are obvious reasons for concern.  Chinese officials have repeated stated they want an Internet where users must register by IP address, effectively ending anonymity and, perhaps, Internet-based uprisings. 

McDowell warns that Russia, Tajikistan and Uzbekistan asked the U.N. General Assembly to create an “International Code of Conduct for Information Security” to mandate “international norms and rules standardizing the behavior of countries concerning information and cyberspace.”  Even  ITU’s head of corporate strategy, Alexander Ntoko, raised eyebrows  earlier this year in Cancun when he predicted that anonymity online would end.

“Why countries are interested in the ITU varies. … China and Russia, their motivations are not very friendly to human rights or openness,” said Cynthia Wong, a lawyer for Center for Technology and Democracy. “Other places feel like they don't have a voice in the current process. “

One of the main criticisms of the process is a lack of transparency and the limitations on participation of non-governmental groups, according to complaints publicized but the Center for Technology and Democracy and human rights groups.  But it’s clear the ITU plans new ways to raise revenue, which might lead to some form of a per-click tax, according to witnesses who testified before Congress at that May 31 hearing.  wong also expects the ITU to push for mandatory standards for packet delivery – Net standards have been voluntary so far -- which could be a precursor for giving nations more control over incoming and outgoing Internet traffic at their borders.

One state, one vote
“Part of the problem with ITU process is that it's so opaque, so it is really hard to understand what might be at stake,” Wong said.  “But what we do know is Russia and some of the Arab states have put cybersecurity on the table.  There are proposals for greater regulation of traffic routing for security purposes.  Depending on how such regulations are implemented, it could be used to justify greater intrusions on privacy and fundamentally change how the Internet currently works technically.”

In other words, such proposals would make it easier for nations to control Internet traffic.

Practically speaking, it will be difficult for ITU to grab control over the central tool governing the Web – the domain name system – in Dubai. That system is currently operated by ICANN. But a sizable block of non-U.S. countries agreeing to mandatory routing standards could still wield considerable power. Treaty negotiations are one state, one vote. The U.S. government could make a reservation with something in the treaty, but if ITU standards become mandatory, all Internet users could be impacted. One potential outcome would see a “splitting” of the Internet, where traffic from nations following one standard is denied by a bloc of nations following another.

But Wong’s chief concern currently is that groups like hers aren’t welcome in the proceedings. On May 17, the Center for Democracy and Technology and 20 other non-governmental agencies from around the world sent a letter of protest to Secretary-General Dr. Hamadoun Touré, who is running the meeting, saying “there has been scant participation by civil society” in the run-up to Dubai.  But Wong thinks the influential Internet protests around SOPA demonstrate that no government agency will be able to pull a fast one on a recently empowered digital constituency.

“One of the lessons you can pull from SOPA is this: The time when governments can go behind closed doors and make important decisions about how we use the Internet is gone. That’s not acceptable anymore,” she said. “There is a community of users who are paying attention, and are really concerned about the future of the Internet. They are not going to find it acceptable anymore to use these old ways of creating laws. And it behooves governments involved in this to pay attention to that.” To that end, several groups have collaborated to create WCITLeaks.org, to encourage anonymous uploading of conference-related documents.

The experience of SOPA might make the Flame and Stuxnet sagas even more important. Could the potential for Internet users to rise up against U.N. control of the Net be blunted if the alternative seems to be continued control by the U.S., its image damaged by Flame and Stuxnet?  Rohmeyer thinks so: Like many technology experts, he’s skeptical of claims that Flame is the most powerful virus ever created. As others have pointed out, Flame is so large that it’s clearly not designed for stealth operation – whoever created it almost begged for it to be found. He thinks a big part of the publicity around Flame is a function of this battle for control of the Net.

“Is the U.S. releasing viruses so powerful that it needs to lose its control of the Internet?” he said. “I don't think by itself the release of Flame rises to threshold. I’m dubious of is effectiveness, and suspicious of those claims.” 

There are also open questions about ITU’s ability to take operational control over the Internet and cybersecurity.

'No country is an island on the Internet'
“The ITU has been kind of like one big group hug,” said Rohmeyer.  “Do U.N. groups have a track record of success with this kind of operation? The ITU was a standard-setting body for telephony. Once you move out of the connectivity realm into operational controls – wow! That gives them an enormous amount of power. ICANN seems to be functioning. When I woke up this morning, the Internet seemed to be working. I don’t think (ITU) has been in this business before.”

Not everyone in the U.S. is against giving ITU more control over cyberspace.  Jody Westby, who launched the Central Intelligence Agency’s famed In-Q-Tel technology investment arm and is now a highly sought-after U.S. cyberexpert, penned a column for Forbes last week strongly endorsing U.S. participation in IMPACT.

“No country is an island on the Internet, and the U.S. cannot expect to be able to adequately respond to cyberattacks or malware infiltrations without the input and involvement of others around the globe,” said Westby, who disclosed that IMPACT was previously a client of her consultancy firm. “The U.S.’s ‘our way or the highway’ attitude in the important area of cybersecurity appears petulant.”

She also said that, absent U.S. participation, other nations will look to Russia and China for leadership.

“The U.S. appears as the shirking nation state quietly standing on the sidelines while being accused of engaging in cyberwarfare tactics,” she said.

But Rohmeyer was was among those who wondered aloud what was in it for the U.S.

“There is no upside for the U.S. (in participation),” he said. “Is the Internet going to be managed better? Will it be more open?”

Many experts think the end result of Dubai will mean the already tense balance between bottom-up governance, where private firms dictate policy through collaboration, and top-down governance, where governments mandate Internet policies, will grow even more stressed. So will the tension between anonymity, free speech and U.S.-friendly control on one side, they say, vs. accountability, control, and Chinese/Russian/Arab interests on the other. McDowell, from the FCC, has repeatedly warned that even a positive outcome for the U.S. in Dubai offers little reason to celebrate. 

“Given the high profile, not to mention the dedicated efforts by some countries, I cannot imagine that this matter will disappear,” he testified before Congress. “Similarly, I urge skepticism for the ‘minor tweak’ or ‘light touch.’ As we all know, every regulatory action has consequences.”

Phillip Hallam-Baker, writing in the online magazine CircleID, compared the balancing act to the uneasy management of the Church of the Holy Sepulchre in Jerusalem, where power is shared awkwardly among various Christian groups and squabbles are common.

“Backing ICANN appears to be the only sensible course for the U.S. But the problem with this approach is that the U.S. cannot risk ICANN itself being captured by hostile powers, and that in turn means that the U.S. cannot ever release its de facto control of ICANN,” he wrote. “It is an inherently unstable situation that is only maintained through constant vigilance on all sides. “

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

It should be clear by now that nothing online is sacred, and no security company is safe from hackers. VeriSign Inc., the firm at the center of so many critical systems on the Web, was infiltrated by hackers in 2010.  Because details of the attack, first disclosed Thursday by Reuters, are so vague we are left to assume the worst -- and the worst is pretty bad.

It's possible that the VeriSign hackers could turn the Web upside down and create an Internet where nothing would be what it seems.  A hacker website could look and act just like your bank's website. Your PC could easily be tricked into downloading automatic software updates that would appear authentic but actually contain viruses. And no matter what web address you typed into your browser, you could be redirected to a criminal's website half-way around the world.

But there's important context to this story which might ratchet down the "Oh My God!" factor considerably.  For starters, there is reason to believe that VeriSign's revelation is nothing more than evidence companies are starting to comply with rules forcing them to disclose such incidents: In other words, similar successful hacks like this may have occurred in the past but simply went unreported.  We'll discuss the evidence for that in a moment. First, let's look at the possibilities raised by the VeriSign attack.

---

 

VeriSign is involved in two distinct, fundamental Internet security structures that could be impacted by this attack.  A successful attack on one would be serious, but a raid on the other could threaten the Internet itself. So let's start there.

VeriSign's most critical function is its role in the Domain Name System address book, which governs what happens when Web users type common name Web addresses into their browsers.  There are 13 "root"  DNS servers placed strategically around the planet for redundancy. VeriSign operates two of them. Should a hacker gain access to this part of VeriSign's business, he or she could theoretically poison the other 11 root DNS servers, and the bad data would eventually spread to the other DNS servers. The consequences could be dire: It could mean that everyone who typed "msnbc.com" into a Web browser would be sent to a computer controlled by criminals, instead of the real msnbc.com website.  A computer criminal with destructive intensions could theoretically ruin the database that maps names with IP addresses and effectively shut down parts of the Internet. It has long been discussed that these root name servers are perhaps the most vulnerable point of the attack on the Internet

But it's more likely that the agencies controlling the other 11 root Domain Name Servers would be able to regain control of the DNS table and restore the system within a day or two, if not within hours. As you might imagine, root DNS servers do disagree from time to time and there is a process for handling that.

It's also important to note that VeriSign, in the SEC disclosure which started this incident, claims that its DNS servers were not attacked by hackers.

"Access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System ("DNS") network," the firm wrote in the filing.

VeriSign's other crucial function is issuing digital certificates through its VeriSign Authentication Services group. Certificates impact your computer use every day because they tell your PC that a company's website or software is really what is says it is. Certificates are a crucial part of the SSL system that ultimately displays a friendly looking lock when you visit your online bank.  They also identify the legitimacy of software updates sent to your computer by software makers.  Many modern PCs won't install software unless it is digitally signed. 

A hacker who could influence the way VeriSign issues certificates would be a massive problem for both consumers and corporations.

"VeriSign is one of the most important enterprise trust authorities in the world, which delivers people safely to more than half the world's websites,” wrote Catalin Cosoi, Chief Security Researcher at Bitdefender Labs. “A certificate issued by VeriSign will automatically be accepted by both browsers and operating systems. This kind of incident practically voids all the security provided by 64-bit operating systems,"

In other words, hackers would have an easy time loading viruses onto PCs around the world.

That's terrible, but it's not new. Virus writers have been compromising certificate issuers with abandon for the past 18 months. It's one of the reasons that Stuxnet computer virus managed to infect millions of PCs worldwide.  That also means structures are in place to deal with fraudulent certificates.

"The worst case scenario would be several phishing attacks with valid certificates that browsers will render as legit," Cosoi said. "This would potentially yield a huge level of data that could be exploited for financial gain. However, it’s important to remember that a strong anti-phishing solution will keep you protected."

Of course, it's not even clear from VeriSign's filing that its certificate business was compromised.  Complicating matters further: Symantec Corp. purchased most of that business from VeriSign last year. For its part, Symantec said on Thursday that the assets it acquired in the sale were not compromised.

"We want to make it very clear that Symantec takes the security and proper functionality of its solutions very seriously. The Trust Services (SSL), User Authentication (VIP) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing," said Symantec spokeswoman Nicole Kenyon in a statement to msnbnc.com.

Of course, it’s possible that one of Verisign’s other business unit – it provides extensive security consulting, for example – was the hackers’ only target.  That seems unlikely, however, given the target-rich environment the offers to computer criminals.

To be sure, many experts think the Verisign attack is serious business.

"The SEC filing says 'Information stored on the compromised corporate systems was exfiltrated.' That sounds like a targeted attack to me," said Mikko Hypponen, chief technology officer at F-Secure.com. "Like the one against Google. And RSA. And Lockheed-Martin."

But it's possible the VeriSign admission, buried in the SEC filing, is little more than paperwork which puts in print something that security professionals have long understood: No firm is safe from hackers.  This might be at once comforting and disturbing: In October of last year, the SEC issued guidelines that called out public firms for under-disclosing security leaks and hinted strongly that fines would come when firms failed to report successful hacker attacks. The VeriSign quarterly report was issued soon after, and it's easy to imagine the disclosure is more routine than anyone would like to admit.  In fact, Stewart Baker, a lawyer at Steptoe & Johnson, predicted as much in a blog earlier this month.

"With enforcement so easy, and the harm from breaches so tangible, so serious and so likely to bring headlines, no one should expect the enforcers to go easy on companies that have been slow to disclose. Instead I expect a growing wave of cases based on companies' failure to make timely disclosure of ongoing breaches," he wrote.

Clearly, admission by VeriSign that executives at the firm were unaware of the breach shows a terrible lack of coordination inside the firm. And it's scary to read this admission, too: "Given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information."

Still, it’s important to note that we are talking about attacks that could be a year old, and whatever they were, criminals are already deep in the process of exploiting them. Sad to say there’s nothing most consumers can do in response to this report.

In health news, there’s always the complicated issue of increased diagnosis vs. increased incidence. Is a new disease on the rise, or are we simply better at finding cases of it? The VeriSign incident raises the same question.

But the deeper truth here is probably something that professionals have known for some time: In the cat and mouse game between hackers and security firms, hackers are winning and, in some places, it's starting to look like a blowout.  

 

 Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter. 
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration).

Most people think they'll never fall for a scam. In fact, that frame of mind is precisely what con artists look for. Those who believe that they know better are often the last to raise their defenses when criminals are nearby. Yes, Virginia, people lose money online. A lot of it. They wire cash to London, they can't help investigating the one-in-a-million chance they really are related to a dead prince from Africa, and they sometimes even travel to Nigeria to find out. Just in case.

Many of the scams you read about are sensational, such as the silly "hit man" scam created by real amateurs (recipients get an e-mail that says send me all your money or I'll kill you).  And you've also seen lists that offer oddly skewed results, such as the recent FBI announcement that scammers pretending to be FBI agents are now the most prevalent Internet crime. You'd figure those numbers are a bit exaggerated because victims of FBI scams are a bit more likely to report those scams to the agency.

Fantastic stories like these only serve to convince many consumers to let their guard down even more, helping to increase the pool of marks for the professional scammers.

I know, because I hear from victims all the time.  My inbox is littered with people whose notes say,"I know I should have known better, but ...." And with that, they beg me for help restoring their ravaged bank accounts. In fact, every single victim I've ever interviewed says they had an inkling that something was wrong from the outset, but they ignored that feeling. That's why the single most important factor in avoiding fraud is this: Learn to trust the feeling in the pit of your stomach.

---

Usually, I can't help restore those bank accounts. But I can help you, if your turn hasn't come up yet.  And even if you are convinced you'd never fall for any online con, someone in your circle of friends or family is vulnerable. Please forward this story to him or her.

Because I hear from so many victims all year long, I know what people really fall for. Here are the top 5 ways cyberthieves separate people from their money, based on my 12 years of writing about Net cons.

1.)   Online dating scams

Anyone out there never done anything dumb for love?  If you are raising your hand, congratulations. You may now relinquish your credentials as a human being.  The rest of you should read on.

Love-based cons are the easiest to perpetrate. Why? Because love always involves a leap of faith -- trusting something you can't see or touch. Just like Internet scams.  For years, criminals have made haunts out of dating services and lonely-hearts chat rooms.  Broken-hearted folks are rarely in their right minds, so they make easy targets.

I once knew the FBI agent in charge of investigating cyber-love scams.  He put it this way:  Men could learn a lot from con artist lovers. They send flowers and candy constantly while wooing a mark (purchased with stolen credit cards, of course).  Gifts really do put women in an agreeable state of mind, he assured me.

Some cons spend months grooming their marks, waiting until after several "I love yous" before asking for $800 to be wired to the passport office in London to help clear up a paperwork mess so he can come to America for a visit.

Yes, it all sounds ridiculous. It's not. It's so profitable that criminals actually pay monthly fees on some dating services. Generally, the more you pay for a service the fewer criminals you'll see, and free Craigslist personal ads tend to be a cesspool. But I've heard from victims who never joined a dating service but were still conned into fake love from perfectly innocent-sounding places like Facebook groups or chat rooms devoted to hobbies like stitching or horses. It all starts with a simple e-mail, perhaps enhanced by a little Facebook research ("Hey, you love the New York Islanders and the Beatles, too! Wow")

Since I've written about this scam many times, I've even heard from concerned family members who beg me to talk the deluded lover down off the cliff when he or she is about to send a bunch of money to a scammer. Usually, I fail. Love is blind; it's also really, really stubborn.

In the latest flavor of the scam, when a deluded lover actually wises up and confronts the criminal, he or she admits to the crime but then adds this twist: "Yes, at first it was just a con, but while we were talking I've really fallen in love with you."

For a whole lot more on this insidious, more-common-than-you'd-believe crime, visit romancescams.org. The group, founded by former victims, has been fighting back for nearly 10 years. They post blacklisted photos there, e-mail addresses and typical opening lines from scammers , and lots of additional helpful scam-fighting tools. If you fall in love and have any doubts, visit the site.

2.)  Fake or "rogue" anti-virus software

We've all seen the pop-ups: "Your computer is infected! Get help now!"

If you've ever clicked through such an ad (really, a hijacking), you know that the price for freedom is $20 or $30 a month.  At first, the ads were clunky and the threats idle. But now, many pop-ups are perfect replicas of windows you would see from Windows or an antivirus product. Some sites actually employ so-called ransomware, which disables your PC until you pay up or disinfect it with a strong antivirus product. That's why consumers forked over hundreds of millions of dollars to fake antivirus distributors in 2009, according to the Federal Trade Commission.

Your best bet?  Make a plan now.  This is the one scam that just about anyone can fall for.  The best protection of all is to back up your important files, so the day your computer is hacked, your digital life won't be on the line.  It's also important to have a fire extinguisher nearby.  A second PC or laptop is often your best help when disaster strikes.  Many viruses disable Internet access, so you'll need a second computer to research your infection and download disinfectant software.  Have a flash drive nearby, too, so you can move the inoculation from one computer to the other.

Meanwhile, if you aren't paying for antivirus software, at least employ one of the popular free products like AVG or Windows Defender.

3.)  Facebook impersonation

Facebook is no longer a Web site -- it's a full-fledged platform, rapidly approaching the scale of the Internet itself. Many young users spend more time on Facebook than on e-mail, and actually use Facebook as their e-mail service.  That means scammers are now crawling all over the service, since they always go where the people go.  There are hundreds of Facebook scams, such as phishing e-mails, Trojan horse infections, misleading advertisements and so on.

But the crime you should most worry about is Facebook impersonation. A criminal who hacks into your Facebook account can learn a staggering amount of information about you. Worse yet, he or she can gain trusted access to friends and family.  We've seen plenty of stories that show Facebook friends can easily be tricked into sending money in response to believable pleas for help.

For this reason, it's time to upgrade your Facebook password. Treat it like an online banking site, because it's not a stretch to say that a criminal who hacks your Facebook account is only one small step away from stealing your money ("Hello, First National Bank, I've lost my password. But my high school mascot is the Owl and my mother's maiden name is Smith. Oh, and my first girlfriend's name was Mary. Can you reset the password now?")

4.) Becoming a bot

You may not know it, but your computer might be a criminal.  Botnets -- armies of hijacked home computers that send out spam or commit other crimes -- remain the biggest headache for security professionals. The various botnets ebb and flow in size, but at any given time, tens of millions of computers on the Web are under the influence of a criminal. No one thinks it's their PC, of course, but look at the odds. If one estimate claiming 100 million infections is accurate, then about one out of every 20 computers in the world is infected.  In other words, someone in your extended family is aiding and abetting a spammer.

How can this be? Victims typically don't notice the criminal activity.  Cyberthieves can easily use your machine without leaving a trace or slowing down your PC performance. They do not deposit e-mails in your sent items folder. Instead of sending 1 million e-mails from your machine, they send one e-mail every hour from 1 million infected machines.

Any honest antivirus company will tell you that there is so much new malicious software created every day that the good guys simply can't keep up. The Web is jammed full of e-mails and Web sites that can turn your home computer into a bot. Your PC could very easily be safe today but at risk tomorrow. That's why it's so important to keep your computer's security tools up to date. But you shouldn't assume that this will keep you 100 percent safe. Avoid the Web's seedier side, and don't let the kids download illegal music or games, a main source of infections. And always keep on the lookout for strange programs, files or surprising hiccups from your machine.

5) The fakosphere

The Web is now littered with fake blogs, fake ads, fake acai berry products, fake work-at-home jobs and fake Web sites saying how great all these things are. You'll even see ads for such products on all major media Web sites, as they've become the Web's answer to late-night infomercials.

The FTC recently issued an opinion clarifying that fake testimonials on Web sites are a violation of federal law, and some of the over-the-top ads have disappeared. But the fakosphere is far from dead.

I know it's tempting to obey one rule that will make your tummy flat, make your bank account fat or make your cancer disappear.  But you can't believe everything you read online.  Never purchase a product without searching Google using this search term:  "(Product name) scam" and "(Product Name) complaint."  Then, spend three minutes familiarizing yourself with the reputation of the item you are about to buy and the price you are about to pay.  One or two complaints might say one thing, but 500 complaints should certainly scream at you that you should put that credit card back in your wallet.

Here are a few other top scam lists worth checking:

* Top 12 scams at BillShrink
* The Times (UK) top scam list
* FBI top scams list

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.