From WikiLeaks to Mega-D, the Week in Security
The saga that is the WikiLeaks controversy dominated security news this past week as governments around the world dealt with the fallout from the breach and the site dealt with denial-of-service attacks.
WikiLeaks' posting of more than 250,000 diplomatic cables online for many highlighted insider security and forced a re-examination of security policies by the U.S. government. But it also drew attacks. Just hours before the site began posting the cables Nov. 28 it experienced a denial-of-service attack (DoS), reputedly at the hands of a hacker known as "The Jester." Another attack followed that one day later.
According to The New York Times, among the cables was one quoting a Chinese person with "family connections to the elite" as saying the Chinese government directed the infamous Aurora attack on Google and other companies, something Chinese officials have denied in the past. Other cables discussed the conflicts between Google and China regarding censorship of the Internet.
As the controversy spiraled, Amazon decided to stop hosting WikiLeaks on its servers, a move the company contends was not made due to political pressure but instead because WikiLeaks had violated Amazon's terms of service. In addition, PayPal cut WikiLeaks online donation account during the week.
Outside the WikiLeaks controversy, the U.S. government also made the news through a new report by the Federal Trade Commission on online privacy that proposed a "Do Not Track" mechanism to limit the tracking of online consumers by advertisers and companies.
"For example, consumers are largely unaware of their ability to limit or block online tracking through their browsers, in part because these options may be difficult to find; further, those consumers who know about these options may be confused by the lack of clarity and uniformity among the browsers in how choices are presented and implemented," the report states.
"The most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumer's browser and conveying that setting to sites that the browser visits, to signal whether the consumer wants to be tracked or receive targeted advertisements," the report continues.
Researchers also told eWEEK the situation could be addressed by requiring browsers to append a string to HTTP headers. The header approach would be a "binary flag," where the browser could turn it on for every HTTP connection, just third party sites or sites defined by the user, said Harlan Yu of the Center for Information Technology Policy at Princeton University.
Protecting users drove a partnership between Google and Adobe Systems to bring sandboxing technology to a version of Flash Player bundled with Google Chrome 9.0.587.0, currently in Google's dev channel.
"Over the next few months, we will be testing and receiving feedback on this project," Peleus Uhley, senior security strategist for the Adobe Secure Software Engineering Team, wrote in a blog post. "Since this is a distinctly different sandboxing code base from Internet Explorer, we are essentially starting from scratch. Therefore, we still have a few bugs that we are working through. We hope that we can use this experience as a platform for discussing sandbox approaches with the other browser vendors."
But attackers were busy as well, targeting Facebook users in a resurgence of an old scam involving a bogus application promising to track who views user profiles. News also trickled out that the FBI had identified a man believed to be at the center of the Mega-D botnet, which once accounted for roughly a third of the world's spam. The man, 23-year-old Oleg Nikolaenko, is accused of receiving more than $464,000 during a roughly six-month period in 2007 to spam out e-mails for a crew of criminals specializing in the sale of fake goods. Nikolaenko has pleaded not guilty to the charges.
"It's encouraging to see law enforcement agencies going after these bot-herding criminals," blogged Phil Hay, senior threat analyst with M86 Security. "Identifying and incapacitating the individuals behind the malware is one of the best ways to keep these giant spam-spewing systems in check."