The past week in IT security news featured headlines about the European Commission's plans to protect online privacy, reports of an Internet Explorer zero-day attack and much more.
Online privacy was once again in the spotlight this past week when the
European Commission announced it is looking to tighten data protection rules
for the Web.
According
to the commission, the rules should require that businesses clearly inform
customers how, why, by whom and for how long their data is collected and used.
In addition, the rules should reduce discrepancies in European Union (EU) data
protection rules and permit people to give their informed consent to the
processing of their personal data.
The commission is accepting public input on the rules through Jan. 15 via
its Website. Meanwhile, Facebook was in the news again in regard to the sharing
of user IDs (UIDs). This time, it was because the site announced that
application developers caught selling UIDs had been suspended.
According to Facebook, less than a dozen application developers were
involved, and none was responsible for any of the 10 most popular apps on the
site.
In a blog post,
Facebook engineer Mike Vernal wrote that the company is "instituting a
6-month full moratorium on (the
developers'
access) to Facebook communication channels, and we will require these
developers to submit their data practices to an audit in the future to confirm
that they are in compliance with our policies.
"While we determined that no private user data was sold and confirmed
that transfer of these UIDs did not give access to any private data, this
violation of our policy is something we take seriously," he blogged.
Application security made its way into the news as well, when viaForensics
highlighted a number of vulnerable mobile banking applications from companies
such as PayPal, TD Ameritrade and Bank of America. The situation highlighted
the fact that developers face some unique security challenges when
creating
mobile applications, security pros said.
"The mobile device itself cannot be considered to be trusted; devices
are lost and stolen all the time," Richard Wang, U.S.
manager of SophosLabs, told eWEEK. "I think these incidents show that the
comparative lack of experience of mobile developers when it comes to security
considerations [such as] storing usernames and passwords in plain text on the
device is a rookie mistake."
Malware developers think about security as well-albeit for a different
purpose, as
highlighted
here in a discussion of some of the techniques attackers use to fight back
against researchers and rivals.
They also think about new vulnerabilities, as exemplified by the appearance
of a new
Internet
Explorer zero-day attack. Microsoft issued an advisory on the issue Nov. 3,
after researchers at Symantec noticed an attack exploiting the vulnerability to
infect users with a backdoor Trojan known as Pirpi. The vulnerability impacts
IE 6, 7 and 8, though there are mitigating factors
detailed
in the advisory.
According to Microsoft's
pre-Patch
Tuesday notification advisory, the IE bug is not on the agenda to be fixed
Nov. 9. However, the company does have patches slated for Microsoft Office and
Forefront Unified Access Gateway (UAG). Of
the three security bulletins (two for Office, one for UAG),
two are rated "Important" while the third, which affects Microsoft
Office, is rated "Critical."
Email
Print
