Talk about requiring companies to make it easier for authorities to intercept communications on the Web led a busy week in IT security news that also featured an emergency Microsoft patch and mass arrests in the fight on cyber-crime.
The Obama administration’s plans were first reported by the New York Times. The discussions on the issue centered on three areas: requiring that communications services that encrypt messages have a way to unscramble them; mandating that foreign-based providers doing business inside the United States have a domestic office capable of performing intercepts; and ensuring that developers of peer-to-peer software redesign their service to allow file interception.
The plans revisited an old debate that arose during the 1990s. Just as they did back then, critics argued that creating backdoors to facilitate government surveillance also creates opportunities for attackers, and the government already has enough power to monitor Internet communications.
“This isn’t a question where there’s this thing that can make us safer, should we do it or should we not do it,” Cindy Cohn, legal director at the Electronic Frontier Foundation, told eWEEK. “This thing that they want won’t make us safer. It will make us more vulnerable. Not just to government misuse, but to third parties.”
In the fight against cyber-crime, law enforcement arrested dozens of people during the week accused of involvement in a massive online bank fraud scheme. All totaled, the crew is accused of stealing $70 million before it was shut down by authorities in the U.S., U.K. and Ukraine.
The criminals used the infamous Zeus Trojan to infect computers and steal bank credentials belonging to individuals, small businesses and others, the FBI said. Ivan Macalintal, manager of advanced threats research at Trend Micro, told eWEEK that Zeus is often able to dodge detection partly because of the sheer number of variants out there.
“Zeus is one of the notorious and dangerous threats out there, especially now when users mostly do daily activities in the Internet, like banking online,” he said.
Microsoft also pushed out an emergency patch for a vulnerability in ASP.NET, which is used to build Web applications. The vulnerability is due to ASP.NET’s use of encryption padding, which provides information in error messages that could be used by attackers to read and tamper with data encrypted by the server.
In other news, Symantec released a detailed paper on the Stuxnet worm (PDF), while Iran announced it arrested multiple people for spying on its nuclear energy program.