WikiLeaks, the Mega-D botnet and online privacy led the way in cyber-security news this past week.
The saga that is the WikiLeaks controversy dominated security news
this past week as governments around the world dealt with the fallout
from the breach and the site dealt with denial-of-service attacks.
WikiLeaks' posting of more than 250,000 diplomatic cables online for many highlighted insider security and forced a re-examination
security policies by the U.S. government. But it also drew attacks.
Just hours before the site began posting the cables Nov. 28 it experienced a denial-of-service attack
(DoS), reputedly at the hands of a hacker known as "The Jester." Another attack followed that one day later.
According to The New York Times
among the cables was one quoting a Chinese person with "family
connections to the elite" as saying the Chinese government directed the
infamous Aurora attack on Google and other companies, something Chinese
officials have denied in the past. Other cables discussed the conflicts
between Google and China regarding censorship of the Internet.
As the controversy spiraled, Amazon decided to stop hosting WikiLeaks
its servers, a move the company contends was not made due
to political pressure but instead because WikiLeaks had
violated Amazon's terms of service. In addition, PayPal cut WikiLeaks
online donation account during the week.
Outside the WikiLeaks controversy, the U.S. government also made the news through a new report by the Federal Trade Commission
online privacy that proposed a "Do Not Track" mechanism to limit the
tracking of online consumers by advertisers and companies.
"For example, consumers are largely unaware of their ability to
limit or block online tracking through their browsers, in part because
these options may be difficult to find; further, those consumers who
know about these options may be confused by the lack of clarity and
uniformity among the browsers in how choices are presented and
implemented," the report states.
"The most practical method of providing uniform choice for online
behavioral advertising would likely involve placing a setting similar
to a persistent cookie on a consumer's browser and conveying that
setting to sites that the browser visits, to signal whether the
consumer wants to be tracked or receive targeted advertisements," the
Researchers also told eWEEK the situation could be addressed by requiring browsers to append a string to HTTP headers
The header approach would be a "binary flag," where the browser could
turn it on for every HTTP connection, just third party sites or sites
defined by the user, said Harlan Yu of the Center for Information
Technology Policy at Princeton University.
Protecting users drove a partnership between Google and Adobe Systems
bring sandboxing technology to a version of Flash Player bundled with
Google Chrome 9.0.587.0, currently in Google's dev channel.
"Over the next few months, we will be testing and receiving feedback
on this project," Peleus Uhley, senior security strategist for the
Adobe Secure Software Engineering Team, wrote in a blog post. "Since
this is a distinctly different sandboxing code base from Internet
Explorer, we are essentially starting from scratch. Therefore, we still
have a few bugs that we are working through. We hope that we can use
this experience as a platform for discussing sandbox approaches with
the other browser vendors."
But attackers were busy as well, targeting Facebook users in a resurgence of an old
involving a bogus application promising to track who views user
profiles. News also trickled out that the FBI had identified a man
believed to be at the center of the Mega-D botnet, which once accounted
for roughly a third of the world's spam. The man, 23-year-old Oleg Nikolaenko, is accused
receiving more than $464,000 during a roughly six-month period in 2007
to spam out e-mails for a crew of criminals specializing in
the sale of fake goods. Nikolaenko has pleaded not guilty to the
"It's encouraging to see law enforcement agencies going after these
bot-herding criminals," blogged Phil Hay, senior threat analyst with
M86 Security. "Identifying and incapacitating the individuals behind
the malware is one of the best ways to keep these giant spam-spewing
systems in check."