A recap of the past week's IT security news featured Microsoft Patch Tuesday, Facebook security and the latest cyber-security bills in Congress.
Lawmakers in Washington, D.C. introduced more cyber-security
and online privacy bills in Congress last week. Sen. John D. Rockefeller
introduced the long anticipated "Do
" bill that would require all companies to honor users' tracking
preferences. Companies that violate rules set by the Federal Trade Commission
would face civil penalties and lawsuits from the FTC and state attorneys
general. Rockefeller also included provisions to cover users surfing online
using mobile phones and wireless carriers.
A bipartisan group of 11 senators, led by Sen. Patrick
Leahy, introduced PROTECT
, a revamped version of last year's COICA, to combat piracy online. PROTECT
IP would authorize the Justice Department to obtain injunctions against Internet
service providers to turn off DNS, or Domain Name System, services to sites selling
or distributing counterfeit goods. The government would also be empowered to
force other companies, such as search engines, ad networks and online payment
processors to stop supporting the "infringing site."
The White House also released its ambitious cyber-security
plans to Congress
, outlining its plans for protecting critical
infrastructure from cyber-attack and requesting a federal data breach
notification law. Under the plan, the Department of Homeland Security would work
with individual businesses and states to protect electric grids, financial
systems and transportation networks. The Obama administration gave individual
organizations control over how to protect their networks, but required that
those plans be shared with DHS. If they weren't comprehensive enough, the DHS
would work with the organizations to improve them under the plan.
Facebook users were told to change their passwords, again,
especially if they used a lot of apps on the social networking site. Symantec
researchers discovered that app developers who were using Facebook's older
authentication system instead of the newer
OAUTH 2.0 system
were inadvertently passing along user token access codes
to third parties, such as advertisers and analytics companies. The tokens acted
as a "spare key" to user profiles, giving others access to user data such as
photographs and the ability to post messages on the user Wall.
Facebook also rolled out several security
designed to improve security, such as two-factor authentication
for login, CAPTCHA on links that may be spam, and an online surfing tool that
uses community rankings to determine whether links are safe or not.
Microsoft announced it will be acquiring voice-over-IP
provider Skype on the same day it released its small Patch Tuesday update for
May. Patch Tuesday addressed two vulnerabilities in Windows Server and
PowerPoint. Just before the announcement, Skype patched a flaw of its own in the
Mac client that would have allowed attackers to create and spread a worm via
the user's contact list. While the Microsoft-Skype
combination would have the most impact on video conferencing and mobile,
security experts cautioned vendors and developers to be vigilant about any
changes to Skype that would require modifying their own products.
Microsoft also released volume 10 of its Security Intelligence
Report, which found that phishing attacks on social networking platforms
skyrocketed in the second half of 2010. Websense reported cyber-attackers were
moving their botnet operations to countries with a better "cyber-reputation,"
such as Canada.