Microsoft, Facebook, Govt Legislation Led Security News

A recap of the past week's IT security news featured Microsoft Patch Tuesday, Facebook security and the latest cyber-security bills in Congress.

Lawmakers in Washington, D.C. introduced more cyber-security and online privacy bills in Congress last week. Sen. John D. Rockefeller introduced the long anticipated "Do Not Track" bill that would require all companies to honor users' tracking preferences. Companies that violate rules set by the Federal Trade Commission would face civil penalties and lawsuits from the FTC and state attorneys general. Rockefeller also included provisions to cover users surfing online using mobile phones and wireless carriers.

A bipartisan group of 11 senators, led by Sen. Patrick Leahy, introduced PROTECT IP, a revamped version of last year's COICA, to combat piracy online. PROTECT IP would authorize the Justice Department to obtain injunctions against Internet service providers to turn off DNS, or Domain Name System, services to sites selling or distributing counterfeit goods. The government would also be empowered to force other companies, such as search engines, ad networks and online payment processors to stop supporting the "infringing site."

The White House also released its ambitious cyber-security plans to Congress, outlining its plans for protecting critical infrastructure from cyber-attack and requesting a federal data breach notification law. Under the plan, the Department of Homeland Security would work with individual businesses and states to protect electric grids, financial systems and transportation networks. The Obama administration gave individual organizations control over how to protect their networks, but required that those plans be shared with DHS. If they weren't comprehensive enough, the DHS would work with the organizations to improve them under the plan.

Facebook users were told to change their passwords, again, especially if they used a lot of apps on the social networking site. Symantec researchers discovered that app developers who were using Facebook's older authentication system instead of the newer OAUTH 2.0 system were inadvertently passing along user token access codes to third parties, such as advertisers and analytics companies. The tokens acted as a "spare key" to user profiles, giving others access to user data such as photographs and the ability to post messages on the user Wall.

Facebook also rolled out several security measures designed to improve security, such as two-factor authentication for login, CAPTCHA on links that may be spam, and an online surfing tool that uses community rankings to determine whether links are safe or not.

Microsoft announced it will be acquiring voice-over-IP provider Skype on the same day it released its small Patch Tuesday update for May. Patch Tuesday addressed two vulnerabilities in Windows Server and PowerPoint. Just before the announcement, Skype patched a flaw of its own in the Mac client that would have allowed attackers to create and spread a worm via the user's contact list. While the Microsoft-Skype combination would have the most impact on video conferencing and mobile, security experts cautioned vendors and developers to be vigilant about any changes to Skype that would require modifying their own products.

Microsoft also released volume 10 of its Security Intelligence Report, which found that phishing attacks on social networking platforms skyrocketed in the second half of 2010. Websense reported cyber-attackers were moving their botnet operations to countries with a better "cyber-reputation," such as Canada.