An archive of all the news items between July 2006 and August 2006 on Compliance and Privacy
To avoid long load times news is archived periodically. If you can't find what you are looking for on this page please refer to our archives. Please use the search engine for ease of retrieval.
Main News page |
FFIEC Deadline Approaching for Financial Institutions
Federal Financial Institutions Examination Council
(FFIEC) Guideline requiring all financial institutions to outline a plan or begin implementation of multi factor authentication tools by the end of 2006, has many organizations scrambling to evaluate vendors and finalize plans. Through into the mix the recent announcement of EMC to acquire RSA, which adds to the confusion and frustration felt by institutions taxed with ongoing compliance decisions and deadlines.
View the 47 minute Webcast and also Download the White Paper
Monthly Threat Summary
Microsoft Corp. Security Bulletin set a record in terms of the total number of vulnerabilities addressed and the number of vulnerabilities labeled as Critical (15 this month as opposed to 11 last month). Of these vulnerabilities, security experts consider MS06-040 to be the most critical and it should be patched immediately.
Read the article
Baiting the hook
Back when Frank Abagnale Jr, subject of the film Catch Me If You Can, was on the run, being an international fraudster seemed to involve swanky hotels, beautiful women and staying one step ahead of the authorities. Nowadays things are a lot more ruthless. Modern phishers rely primarily on social engineering techniques to defraud their victims, exploiting their trust in order to breach security measures and steal customer details.
They use similar techniques to spammers in order to find their targets, harvesting names and addresses from computers infected with worms and viruses. Direct fraud losses from online phishing scams in the UK almost doubled in 2005 to £23.2million, according to statistics from the Association for Payment Clearing Services (Apacs).
“Phishing has evolved. Phishing organisations are behaving like the marketing departments of large organisations. Just like you get targeted marketing from your supermarket, they're starting to target particular people,” says David Porter, head of security and risk at Detica.
This extract is from Financial Sector Technology and their copyright is acknowledged. For the full article please read on
Barclaycard clears Datanomic to help meet regulatory deadlines
Datanomic, the pioneers of integrated data quality management solutions, has been selected by Barclaycard to supply a software solution for screening clients against commercial Sanctions and PEP watch lists. The Datanomic dn:Match software will be installed at Barclaycard sites in the UK, North America and Africa. The first phase of this contract is operational with remaining phases due for completion before September.
Read the article
Cisco further blurs technology lines with video purchase
Cisco is slowly but surely moving from the server rooms to the living rooms with its latest gem: Arroyo Video, a software company which manages video-on-demand (VOD) services. Late last year, Cisco made a bold move by shelling out $6.9 billion to purchase Scientific-Atlanta (S-A) – the other half of the set-top box duopoly (with Motorola). These two investments and other incidental purchases along the way aim to fortify Cisco's position in the digital home.
Read the Article
IBM's acquisition of ISS supports convergence theories
Everybody was chanting “convergence” when Symantec joined forces with Veritas and then again when EMC united with RSA. IBM's gobbling up of Internet Security Systems (ISS) last week almost appears to be a self-fulfilling prophecy. ISS is a leader in network security and managed security products, of which MSS accounts for 20-25% of its total revenue.
Read the Article
Financial services firms over spend to meet new compliance laws
Almost half of financial institutions (49 per cent) are exceeding the expected cost of implementing compliance solutions, according to a study by PMP Research. The research shows 13 per cent of financial services firms have reacted to a wave of new compliance by considerably exceeding their budget. The report shows an effective technology strategy is vital component to a solution for over spending. While 36 per cent of organisations have met their targets, none have come in under budget. The report shows 92 per cent of companies prefer to use in-house expertise as the main route to develop ‘best practice' for governance and compliance. And 72 per cent source information from industry bodies, while only 62 per cent approach external consultants.
Read the Computing article
40% of Fraud Alerts Don't Propagate
We're highlighting this item from the Emergent Chaos blog which we carry:
Debix is reporting that 40% of fraud alerts don't propagate between all three major credit agencies. You remember those fraud alerts? They're supposed to protect you from identity theft, right? Well, let me let you in on a secret.
Identity theft is the best thing to happen to the credit agencies since the creation of the SSN.
Identity theft helps them sell more products, like identity verification tools, to their customers. It creates a new line of consumer business, people who will often happily pay them $10 a month to tell you what lies they're spreading about you.
Is it any wonder that the alerts don't propagate? Is it any wonder that they've been sitting on this knowledge?
I'm very excited about the emergence of companies like Debix, who are not responsible for the problem, but are helping us understand and fix it.
ID Security Company Finds Snags in Fraud Alert System
Consumer advocates have long complained that the fraud alert system mandated by Congress in 2003 as a consumer's first line of defense against identity theft does not always work properly. So a company seeking to enter the market for identity theft prevention services recently recruited 54 data security and privacy experts to test the system. They claim to have found some kinks, although the credit reporting agencies beg to differ. Julie Fergerson, vice president for emerging technologies at Debix, the company that produced the study, said that in 40 percent of the cases she examined, it appeared that fraud alerts had failed to put all the reporting agencies on notice to prevent new credit accounts, loans and other debts from being opened in a consumer's name without a verifying phone call from the creditor.
Read the New York Times Article
IBM to Acquire Internet Security Systems Inc.
ARMONK, NY and ATLANTA, GA – August 23, 2006: IBM (NYSE: IBM) and Internet Security Systems, Inc. (NASDAQ: ISSX) today announced the two companies have entered into a definitive agreement for IBM to acquire Internet Security Systems, Inc., a publicly held company based in Atlanta, Ga., in an all-cash transaction at a price of approximately $1.3 billion, or $28 per share. The acquisition is subject to Internet Security Systems, Inc. shareholder and regulatory approvals and other customary closing conditions. The transaction is expected to close in the fourth quarter of 2006.
Internet Security Systems (ISS) provides security solutions to thousands of the world's leading companies and governments, helping to proactively protect against internet threats across networks, desktops and servers. ISS software, appliances and services monitor and manage network vulnerabilities and exploits and rapidly respond in advance of potential threats. This acquisition advances IBM's strategy to utilize IT services, software and consulting expertise to automate labor-based processes into standardized, software-based services that help clients optimize and transform their businesses.
Read the Article
MiFID Connect to Influence MiFID implementation
A group of 11 UK trade associations have banded together to influence the way the European Union's Markets in Financial Instruments Directive (MiFID) is implemented following fears that City regulators could take an "overly stringent approach" to the new measures, says the FT.
According to the Financial Times report, the associations party to the "highly unusual co-operative effort" include the Association of British Insurers, the British Bankers' Association (BBA), the Investment Management Association (IMA) and the London Investment Banking Association (Liba).
MiFID, which takes effect in November 2007, has been finalised in Brussels but uncertainty remains over how the UK's Financial Services Authority (FSA) will interpret the directive.
The FT says the 11 financial trade associations, which have formed an entity called MiFID Connect, are lobbying to establish a "practical, cost-effective and market-sensitive policy" on the directive's implementation. They hired law firm Clifford Chance to compile a 'Mifid Survival Guide', which is on sale for £1100.
Read the article
The United Kingdom Data Protection (Processing of Sensitive Personal Data) Order 2006
The UK Data Protection (Processing of Sensitive Personal Data) Order 2006 sneaked onto the United Kingdom statute books without any great fanfare on 25 July 2006. It allows the Police to pass details of cautions and convictions relating to certain offences of viewing child pornography over the internet, to banks and card providers, so that they can cancel the credit/debit/charge cards that were used in purchasing such images.
Read the article
'Secure the Trust of Your Brand'
survey: "security can have consequences for corporate brands".
In the U.S. last year, over 52 million account records were reportedly stolen or misplaced; in 2006, reports of security breaches continue.
In the light of this, 2,200 consumers were asked how corporate security practices affect their purchase patterns. Conducted by the Chief Marketing Officer (CMO) Council and the Business Performance Management (BPM) Forum, and underwritten by Symantec and Factiva, the survey found consumers are increasingly keeping tabs on corporate security news.
Approximately 90 percent of respondents said that security is a concern to them, and 50 percent said that they have recently become more concerned about security than before.
Symantec announces plans to exit the security appliance business
During their recent Q2 earnings call Symantec CEO John Thompson confirmed that the company plans to exit the UTM (Unified Threat Management) security appliance business. "We've discontinued new hardware development on our network and gateway security appliances," he explained. "This will enable us to invest more in higher-growth areas, such as enterprise messaging and compliance-related markets."
In general the move signals a continued change in focus following the Symantec's purchase of Veritas.
Security Breaches - Around 80 per cent affected!
Two new surveys on security breaches have just been published - and they make difficult reading particularly given the increasing tide of security breach legislation in the US and the activities of data protection officials in Europe.
The first published by Deloitte, found that 78 per cent of the worlds top 100 financial services organizations surveyed admitted to a security breach from outside the organization. In a similar survey in 2005 only 26 per cent admitted to having suffered a breach. The survey also found that nearly half of the organizations experienced at least one internal breach, up from 35 per cent in 2005. In response, 95 per cent of enterprises said their information security budgets have increased in the past year.
Read the article
Ad dishes up malware to more than 1M PCs
More than 1 million users of MySpace.com and other Web sites may have been infected with adware spread by a banner advertisement, according to iDefense, a computer security group, as reported in Computerworld.
The advertisement, for a site called deckoutyourdeck.com, appeared in user profiles on MySpace, an online community with at least 70 million users, said Ken Dunham, director of the rapid response team at iDefense, which is owned by VeriSign Inc.
The ad exploits a problem in the way Microsoft Corp.'s Internet Explorer browser handles Windows Metafile (WMF) image files.
Compliance and Privacy Newletter - 27 July 2006
In this issue:
- An Analysis of New Security Features Within Microsoft Vista and Internet Explorer 7 - iDefense Webcast
- Emergent Chaos
- What direction for RSA after EMC's takeover?
- Ad dishes up malware to more than 1M PCs
Click Here for the Newsletter
What direction for RSA after EMC's takeover?
In an article in American Banker, RSA Security Inc. says its consumer
online banking security business
would not be changed after the vendor
sells itself to the data storage company
“RSA will continue to build and
invest in this business, as both companies
believe that the protection of
online consumers’ identity is a burgeoning
business that is just beginning
to take off,” said Art Coviello, RSA’s
president and chief executive, said in a
presentation to analysts after the deal
Joe Tucci, EMC’s chairman, president,
and chief executive, said RSA’s
customers should not worry that this
plan would change its focus. He said he
hopes to use RSA’s technology to
improve his company’s data storage
Compliance and Privacy Newletter - 13 July 2006
In this issue:
- SWIFT accused of Privacy Breaches
- Who Steals My Name
- VeriSign Security Review for June 2006
- Do you test on Live Data? It's illegal!
- Tim Berners Lee's Blog
- Voice-over-Internet Protocol Vulnerabilities - an iDefense Webcast
- Webcast - How IE 7 and High Assurance SSL Certificates Will Impact Your Site
- UK Information Commissioner issues Enforcement against b4usearch.com
Click Here for the Newsletter
Using RFID Technology to Fight Counterfeit Entertainment Products
In RFID Journal article about the recent Entertainment Supply Chain Academy held in Los Angeles, it was reported that RFID technology vendors OATSystems, ADT, and VeriSign described different ways supply chain partners in the entertainment industry could deploy RFID to increase efficiencies and data accuracy. Paul Mackinaw, VeriSign's principal consultant, noted that movie studios and other producers of entertainment media could leverage RFID technology not just for improved supply chain operations, but also for authenticating product as a means of fighting counterfeit products. It could also serve as a tool for ensuring that retailers introduce new titles to the sales floor on the appropriate release date, not before or after.
"Craigs List" lookalike for Global terrorism
U.S. intelligence agencies have begun monitoring a frightening new Web site that functions as a "Craig's List" for terrorists across the globe, according to the Washington Post.
In the past month, membership on the site has grown by 200 people a day, and it swelled to 10,322 in the days and weeks following the announcement that mystery man Abu Hamza al-Muhajir was named as the new leader of al Qaeda in Iraq.
A man with a similar name is listed as the administrator of the Web site, called Mohajroon.com, and his caricature pops up when outsiders try to access secret members-only sections, according to Andretta Summerville of the cyber security firm iDefense.
The Web site has been functioning as a one-stop shopping place for terrorists, wannabes and their supporters around the world and appears to serve as an important part of the support network for the murderous al Qaeda in Iraq, Summerville said.
Making the Web Secure
In an Investor's Business Daily article, Phillip Hallam-Baker, principal scientist for VeriSign, was questioned how to make the Web secure. In an age of rampant identity theft, Phillip says some accountability measures are needed.
Phillip said, “If we're going to stop people from sending vast amounts of spam, there's got to be an accountability mechanism. We cannot practically hold individuals — 1 billion people — responsible. That would impinge on privacy and would be impractical. What we can do is hold the Internet service providers accountable who are providing those people with service. There's been a successful campaign to persuade Internet service providers to limit the amount of data an individual can put into the e-mail system. There's a clear difference between (sending) 300 e-mails an hour and a million an hour, which is what a botnet (a network of computers controlled by hackers) can be pumping out.”
VeriSign Announces Plan to Further Enhance .com and .net Constellation with Regional Internet Resolution Site in Bulgaria
Distributed Infrastructure to Provide Even Greater Security and Stability for Growing Number of Bulgarian Internet Users
VeriSign announced on 4th July 2006 a plan to enhance its global constellation of geographically-dispersed Internet Resolution Sites by installing and operating a Regional Internet Resolution Site in Sofia, Bulgaria. The announcement is another important step in VeriSign's effort to expand critical Internet infrastructure in regions of emerging growth. Once fully implemented, the site will improve Internet performance for the over 2 million Internet users in Bulgaria.
UK Information Commissioner Enforces against B4usearch.com
Web business b4usearch.com has fallen foul of the wrath of Richard Thomas, the United Kingdom Information Commissioner over the processing of personal data on their website. The Information Commissioner's Office (ICO) has ordered the website b4usearch.com to stop using personal information from electoral registers published before 2002, after finding the site in breach of the Data Protection Act. B4U is a company based in Birmingham in the UK.
Mick Gorrill, Head of Regulatory Action at the ICO, said: “We take breaches of the Data Protection Act very seriously. As this case demonstrates, we will take action against organisations that don't process personal information in line with the requirements of the Act and cause significant concern to individuals. People have an important right under the Data Protection Act to know that their personal information is sufficiently protected.”
Read the article
Live Data Testing is Illegal
“But it can't be. And anyway, we have rigorous security in place”. Regrettably that is the attitude of many hard pressed CIOs today. The business pressures speedy delivery of tested software, and live data tends to be the data with the “best” hidden gotchas, or so CIOs have always believed. But that doesn't make it lawful.
Starting with the stringent Data Protection regulations in the European Community, and spreading worldwide, the law says, very simply, that the individual whose data record is processed must know the purpose of the processing. And it goes on to say that you may not process that data for any additional purpose without the individual's consent.
Read the article
Who Steals My Name
It begins with a small theft. Someone breaks a
car window, grabs a laptop computer lying on the
back seat, and disappears into the darkness with
the machine. Unfortunately, that laptop belongs to the
global sales manager of your company. And now you - and
she - have some big problems, because that laptop contains the ID and password used to access your company’s customer
relationship management (CRM) system. This CRM system
contains a lot of sensitive information, and none of it is encrypted.
Among the sensitive information: a complete profile
of your company’s customers around the world, the customers’
credit card numbers, and the customers’ passwords for
your company’s ecommerce website
This ACCA document covers what you needs to do and to have in place to handle this emergency
EMC to acquire RSA
All industries have periods of consolidation, but who would have thought that a storage giant would buy a security corporation? At Compliance and Privacy we have a huge interest in security. And we felt some perspective on the deal would be useful
Read the article