to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y
We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for the 21st Century
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

News - a Roundup of all the news items between early March 2007 and early April 2007, Newest First

Current News Updates compliance and privacy

News - a Roundup of all the news items between early March 2007 and early April 2007, Newest First


To avoid long load times news is archived periodically. If you can't find what you are looking for on this page please refer to our archives. Please use the search engine for ease of retrieval.

Main News page | Archives: (oldest) 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 (most recent)


EM-SEC Technologies Announces Successful Test of Wireless-Blocking "Paint"

EM-SEC Coating Creates an “Electromagnetic Fortress” that Safeguards Businesses and Government Facilities from Wireless Attacks

EM-SEC Technologies, LLC announced today (14 March 2007) that the tests performed around the perimeter of their “painted” SCIF (Sensitive Compartmented Information Facility) yielded successful results for the protection of wireless devices and other electronic equipment within the structure. The tests confirmed that wireless transmission of information can be protected from unauthorized access by the use of their EM-SEC Coating System.

“The use of EM-SEC Coating as an electromagnetic barrier for the containment of wireless networks has opened a new realm of possibilities for our company and for the future of wireless communications” said Robert Boyd, Vice President and Director of Technology for EM-SEC Technologies, LLC. “As hackers, identity thieves and even terrorists become more sophisticated in the methods they use to obtain information or inflict damage, this experiment confirmed EM-SEC Coating reduces the threat from electronic eavesdropping and blocks out electromagnetic interference for the protection of electronic data.”

This was an exclusive operation to test the effects of utilizing the EM-SEC Coating System as a viable solution to enabling the safe and secure operation of wireless networks within the confines of an architectural enclosure. The EM-SEC Coating System used for these tests is a series of water-based shielding products that restrict the passage of airborne RF (Radio Frequency) signals. The EM-SEC Coating was initially developed to aid the U.S. Government and Military in shielding operation centers in order to safeguard mission critical information against threats to national and homeland security. These tests revealed that EM-SEC Coating can now successfully be utilized by corporate and private companies.

Read the article


TRUSTe and Ponemon Institute Announce Results of 2007 Most Trusted Companies for Privacy Study

Overall and Industry-by-Industry Rankings Rate Top Performing Commercial and Government Organizations

TRUSTe and the Ponemon Institute have announced the results of the 2007 Most Trusted Companies for Privacy Study, an annual evaluation of how consumers perceive organizations that collect and manage their personal information. The 2007 Most Trusted Companies for Privacy Study ranks companies and federal agencies industry-by-industry as well as providing a list of overall top performing companies.

TRUSTe and the Ponemon Institute are hosting a webinar discussing the Most Trusted Companies for Privacy Study from 1:00pm – 2:00pm EDT / 10:00am – 11:00am PDT today (28 March, 2007). To register for the live event, visit http://www.truste.org/mtc_webinar.php .

Overall, the top three rated companies for privacy trust in 2007 are, in order, American Express, Charles Schwab, and IBM. In 2006 the top three companies were American Express, Amazon, and Procter & Gamble. Previous years' winners have included E-Loan, Hewlett-Packard, and eBay.

Read the article

 


Online fraudsters ‘sting' users for £875 - Get Safe Online

Internet users who have experienced online fraud lost an average of £875* each over the past twelve months, according to “Internet Safety: The State of the Nation,” research by the government and industry online safety campaign,  Get Safe Online .

A survey of UK internet adult users – who number 29 million – found that 12% (almost 3.5 million people) had experienced online fraud in the last year.  In that time, 6% of all internet users (1.7 million people) suffered fraud while shopping online, 5% (1.5 million) experienced another form of general online fraud and 4% (1.2 million) were subject to bank account or credit card fraud as a result of activity online (some users experienced more than one of these).

The rise in online fraud comes as UK internet activity has risen dramatically.  The report found that 93% of internet users now use the web daily and that, on average, we each spend £1,044 per year buying goods and services on the web – equivalent to £30 billion for the UK online population as a whole.

Read the article


Liberty Alliance Releases New Specifications for Linking Digital Identity Management to Consumer Devices

Liberty Alliance, the global identity consortium working to build a more trusted Internet for consumers, governments and businesses worldwide, today announced the release of the Advanced Client specifications designed to allow enterprise users and consumers to manage identity information on devices such as cameras, handhelds, laptops, printers, and televisions. The Advanced Client is a set of specifications and technologies that leverage the proven interoperability, security and privacy capabilities of Liberty Federation and Liberty Web Services to allow users to conduct a wide range of new identity-based transactions from any device.

The Advanced Client is part of Liberty's roadmap to deliver an end-to-end digital identity management framework that provides enterprise users and consumers with increased identity management functionality across all networks and devices. The set of platform independent specifications were developed to extend identity management capabilities such as single sign-on, access to Web Services, stronger authentication and user-controlled provisioning to client devices. The Advanced Client will allow users to securely store identity data on a device and access and manage the information when the device is either connected to a network or offline.

“Liberty's Advanced Client specifications mark a new era in how consumers will access identity-based applications and businesses and governments will deploy and manage new identity-based services,” said Roger Sullivan, president of the Liberty Alliance Management Board and vice president of Oracle Identity Management. “With today's news, Liberty Alliance is closer to delivering an always available end-to-end identity framework where devices of all kinds are linked by federation and users are in better control of their identity information.”

Read the Article


Browser Cert Closes Loopholes but Can't Force Adherence; Extended Validation certificates address only part of the security equation

While Extended Validation certificates close loopholes and address technical issues, they don't significantly mitigate the problems with digital CAs and don't address the problem of authoritatively identifying a Web site as legitimate.

Consumers and enterprises alike are rightly concerned with privacy and security when conducting business on the Internet. Without the familiar setup of the brick-and-mortar world, it's difficult for users to judge the validity of Web sites with which they do business.

Extended Validation certificates, developed by the CA/Browser Forum, are intended to allay some of those concerns by certifying sites that are valid business entities.

The CA/Browser Forum's EV certificate guidelines standardize the scrutinization of certificate applicants and require EV CAS (certificate authorities) to pass a “WebTrust for CA” audit. And EV certification is making its way into the mainstream; the CA/Browser Forum's EV guidelines aren't final, but Microsoft's Internet Explorer 7 already supports EV certificates.

However, because of some basic weaknesses in how digital certificates are used on the Web, EV certificates will do little to improve the strength of SSL nor will they signify any meaningful trustworthiness of the site presenting the certificate.

Read the Network Computing article


Russian Criminals Targeting U.S. 401ks and Online Traders

Cybercriminal rings in Russia and Eastern Europe have stolen tens of millions of dollars by breaking into and looting U.S. 401k and online stock trading accounts, FBI and SEC officials tell ABC News.

"You could wake up one morning and find all your money in your retirement account or in your trading account is gone," said John Reed Stark, Chief of Internet Enforcement at the Securities and Exchange Commission.

In addition to the Russian rings, authorities have also seen hackers in India, Hong Kong and Malaysia going after similar online accounts.

Read the FInance Mentor article


Hackers promise month of MySpace bugs

They won't divulge their real names, they call their project a "whiny, attention-seeking ploy," and they appear to take their fashion cues from Beastie Boys music videos.

But two hackers going by the names of Mondo Armando and Müstaschio promise to begin disclosing security vulnerabilities in MySpace, News Corp.'s popular social networking site, every day next month.

"The purpose of the exercise is not so much to expose MySpace as a hive of spam and villainy (since everyone knows that already), but to highlight the monoculture-style danger of extremely popular websites," wrote Mondo Armando in an e-mail interview.

Read the Washington Post article


'Storm' Worm on the Attack - May have Melissa potential

A few weeks ago, a new variant of the Storm Worm (Small.DAM) appeared. Like most worms, this one starts off by propagating via email.

In this case, rather than use celebrities or the allure of sex to attract readers, it relies on the most watched newsmakers of the last few years: the weather. And as with other self-propagating worms, it reads contact lists (e.g., Outlook address books) to spread.

But there is an added twist to this one: it also propagates by adding a link into forum posts and/or blogs that you normally contribute to using the HTTP protocol. Note that this worm/trojan pays attention to the protocol rather than just attaching itself to a specific application.

It is this "intelligent" aspect of the worm that makes it somewhat unique. The potential is huge for a repeat of the infamous Melissa and I Love You outbreaks that ravaged systems in 2000.

The worm is designed to capitalize on new method of social engineering: using a user’s established and presumably good reputation on a forum or their own blog means that others will assume that any link provided by that person is a trusted resource. And thus, begins an infection that could swamp whole networks and expose organizations to privacy breeches and corporate espionage.

Read the Datamation article


Image spam tricks spam filters

"A picture is worth a thousand words," goes the old saying. What is true in art and journalism is proving equally apt in the more modern field of spam. As the recent surge in image-based spam shows, pictures can be a very effective way to get a message across – or at least through a victim's anti-spam filter

Richi Jennings, senior analyst for Ferris Research , an IT analysis firm specialising in messaging technologies, says that the number of image spam emails has increased ten fold – or 900% --over the past year.

Much of it is coming from botnets, or networks of PCs that have been infected with a virus and turned into unwitting SMTP servers for spammers. With the computing power of thousands of PCs at their disposal, the spammers  are able to send out more messages and be more creative in their approach, he notes.

Frank Guillotti, director of IT for supply and contract management software vendor Emptoris, has seen substantial growth in image spam. Six months ago as much as 60% of employee mail was spam, with nearly a third of that in the form of image spam, he said. "People had to go through a delete it, and some of it was relatively offensive. People just don't have the time for that," Guillotti said.

Read the Computer Weekly article


Lloyds TSB is to introduce an automated phone fraud alert service for all its debit card holders.

The system is already used on the bank's credit cards and now debit card holders will receive an automated call whenever the bank's systems believe a card could be threatened by a fraudulent transaction.

The automated calls will kick in when the card is being used for particular transactions when the customer is not present during the deal, such as web, phone or postal purchases.

The customer will have to give permission for the transaction to go ahead; if they don't, they will be put through to an operator who will be able to freeze the account and prevent the transaction completing.

Read the Computer Weekly article


Banks in unacceptable data protection breach

The UK Information Commissioner’s Office (ICO) has found 11 banks and other financial institutions in breach of the Data Protection Act after investigating complaints concerning the disposal of customer information.

  • HBOS
  • Alliance & Leicester
  • Royal Bank of Scotland
  • Scarborough Building Society
  • Clydesdale Bank
  • Natwest
  • United National Bank
  • Barclays Bank
  • Co-operative Bank
  • HFC Bank
  • Nationwide Building Society
  • Post Office

were all found to have discarded personal information in waste bins /receptacles outside their premises.

Read the article


Phishing scams more costly than bank robberies

Although bank robberies are a perennial threat to banks, their employees and their customers, the increasingly sophisticated and accessible high-tech fraud tactics used by cyber criminals are a greater - and growing - threat to a bank's bottom line.

In a bank robbery, especially in the unusual case where the whole bank is taken hostage, a situation The Mechanics Bank encountered when its Point Richmond branch was robbed in November, the bank's main concern is safety. The amount of money taken typically is fairly small and will not dent a bank's bottom line. Further, bank robbers are apprehended in almost 58 percent of cases, according to Federal Bureau of Investigation statistics. Only murder has a higher rate of clearance by arrest.

That's a stark contrast to checking account fraud, which cost financial institutions $2.4 billion over one 12-month period that ended in 2004, according to a study by research firm Gartner Group. A portion of those losses was caused by "phishing," a scam in which crooks use fraudulent e-mails and Web sites in an effort to entice consumers to give up personal and account information. Since 2004, phishing attacks have grown exponentially.

Not only are the losses greater, it's also harder to catch a cyber thief; investigators often find themselves chasing a ghost who may have put up a fake Web site for just a couple of days. When it comes to financial losses, bad loans, unscrupulous employees, check fraud and identity theft are far more worrisome for banks than robberies.

Read the article in MassLive.com


ISPA on Spam. Block port 25 says Trend Micro

An article in silicon.com today is headlined "Spam storm needs ISP action, urges security chief", and so it does. ISPs have the ability to secure mail servers, making it next to impossible for spammers to exploit the weakness attributed to an unsecured mail server running in port 25, the port of choice for spammer attacks.

But the article also highlights David Rand, CTO of security company Trend Micro, who told silicon.com: "I absolutely believe this is the ISPs' responsibility. Yet top ISPs still aren't doing anything."

Rand said: "It's not like the ISPs can't tell this is going on. They can see all this on their networks."

So far so good. He's right. And it is obviously not lack of knowledge that stops the ISP from killing SPAM. But Rand is also quoted as saying that the blocking of port 25 will pretty much solve this problem.

Read the article


Card fraud losses continue to fall 

  • Total card fraud losses fall from £439.4m in 2005 to £428.0m in 2006
  • Card fraud losses at UK retailers fall by 47%
  • Online banking fraud increases from £23.2m in 2005 to £33.5m in 2006
  • Cheque fraud losses fall from £40.3m in 2005 to £30.6m  

2006 fraud figures released today (14 March 2007) by APACS, the UK payments association, show total card fraud losses fell by three per cent in the past year to £428m – a decrease of nearly £80m over the past two years. This fall has been driven by a 13 per cent decrease in UK domestic fraud and the combined reduction of more than £45m in mail non-receipt and lost and stolen fraud.

Credit and debit card fraud losses on UK-issued cards split by fraud type

Fraud Type

2006 (+/-change on 2005)

2005

2004

Counterfeit (skimmed/cloned) card fraud

£99.6m (+3%)

£96.8m

£129.7m

Fraud on stolen or lost cards

£68.4m (-23%)

£89.0m

£114. 5m

Card-not-present fraud (phone/internet/mail)

£212.6m (+16%)

£183.2m

£150.8m

Mail non-receipt

£15.4 m (-62%)

£40.0m

£72.9m

Card ID theft

£31.9m (+5%)

£30.5m

£36.9m

TOTAL

£428.0m (-3%)

£439.4m

£504.8m

Contained within this total:

 

 

 

UK retailer (face-to-face transactions)

£72.1m (-47%)

£135.9m

£218.8m

Cash machine fraud

£61.9m (-6%)

£65.8m

£74.6m

Domestic/International split of total figure:

 

 

 

UK fraud

£309.8m (-13%)

£356.6m

£412.3m

Fraud abroad

£118.2m (+43%)

£82.8m

£92.5m

The introduction of chip and PIN has made it more difficult for fraudsters to commit card fraud in the UK , with losses at UK retailers falling by £146.7m over the past two years. However, criminals are still targeting our cards with the aim of copying the magnetic stripe data. They use this data to create counterfeit magnetic stripe cards that can potentially be used in countries that haven't upgraded to chip and PIN. This has caused the increase in fraud abroad losses over the last 12 months

Read the article .


McAfee, Inc. Partners With VeriSign to Promote VeriSign Extended Validation SSL Certificates

McAfee, Inc. (NYSE: MFE) and VeriSign, Inc. (NASDAQ: VRSN), the leading provider of digital infrastructure for the networked world, today announced that McAfee® will automatically enable consumers using Microsoft Internet Explorer 7 (IE7) operating on the Windows XP operating system to get the new Extended Validation (EV) functionality for sites that use VeriSign SSL Certificates.

VeriSign EV SSL Certificates help maximize consumer confidence by providing third-party verification of a Web site's authenticity, while securing online transactions through encryption. When a user enters a URL through a high-security browser such as IE7, the browser address bar will turn green, indicating that the site's identity has been verified using known, reliable authentication methodology. The green browser bar will also display both the name of the verified organization as well as the SSL provider, allowing consumers to confirm the genuine name of the businesses with which they are interacting.

Read the article


Regulations and a fear of banner headlines put the focus on data, not network, security

For DuPont, Gary Min may have seemed a model employee. A research chemist at DuPont's research laboratory in Circleville, Ohio, Min was a naturalized U.S. citizen with a doctorate from the University of Pennsylvania who had worked for DuPont for 10 years, even earning a business degree from Ohio State University with help from his employer. During that time, he had moved up the ranks within the company, taking on various responsibilities on research and development projects within its Electronic Technologies business unit. He specialized in the company's Kapton line of high-performance films, which are used, among other places, in NASA's Mars Rover.

But Min's veneer of respectability began to crack on Dec. 12, 2005, when he told his employer he would be leaving his job. According to a civil complaint filed by DuPont against Min, a company search the next day revealed that Min had recently been an avid user of the company's electronic document library, accessing almost 23,000 documents between May and December 2005, including more than 7,300 records in the two weeks prior to his giving notice. Alarmingly, Min had strayed from his area of specialization, rummaging through sensitive documents related to Declar, a DuPont polymer that competed directly with PEEK, a product made by Min's future employer, Victrex.

With Min indicating he would relocate to a Shanghai office of Victrex, DuPont appealed to both law enforcement and the civil courts that it was worried its former researcher was absconding with a treasure trove of trade secrets for Victrex and perhaps other Chinese companies.

DuPont is not alone. The broad outlines of the Min case — his Chinese nationality, his links to companies operating in that country, and the broad scope of his attempted intellectual-property heist from DuPont — are in keeping with what the FBI says is an epidemic of state-sponsored economic espionage. By one estimate, there are as many as 3,000 front companies in the United States whose sole purpose is to steal secrets and acquire technology for China's booming economy.

Welcome to the brave new world of enterprise security, circa 2007. It's a world where the troubles of yesteryear — loud and stupid Internet worms and viruses such as MSBlaster, Sobig, or SQL Slammer — seem trivial. In their place are rogue insiders with legitimate credentials, armed with Trojans and rootkits controlled from afar that may lurk for years without detection, bleeding companies of sensitive information. It's a world in which premeditated plunder of specific data, rather than the mere breaching of the perimeter, is the point of network intrusions. And that means companies, more than ever, must monitor and secure data to prevent it from falling into the wrong hands.

read the InfoWorld feature article


Bank of England issues new £20 note - APACS gives an overview of Britons' use of cash

To coincide with the Bank of England's launch today (13 March) of a new £20 note featuring economist Adam Smith, APACS - the UK payments association – gives an overview of how we use cash and how this has changed in recent years. APACS figures show that although plastic card payments are increasingly popular, Britons show no signs of abandoning cash any time soon.

Cash still accounts for more than six in ten (63 per cent) of all day-to-day payments by volume, and the £20 note is one of the most popular denominations of them all – accounting for 66 per cent of all notes dispensed by British cash machines in the last quarter of 2006.

read the article


McAfee SiteAdvisor maps risky Web domains

A map unveiled this week by McAfee and based on data from its SiteAdvisor service paints Russia and Romania deep red as the countries whose domains are most likely to host "drive-by" exploits.

McAfee SiteAdvisor, a free-of-charge plug-in for Internet Explorer and Firefox, rates sites on several criteria, including dangerous downloads, spam tendencies and hosted exploits. It then posts green, yellow and red icons on search results obtained from Google, Yahoo or MSN.

McAfee applied the results of its site scanning to come up with the Flash-based map, which will be updated monthly.

"When it comes to safety, it turns out that the Web is no different than the physical world. There are safe neighborhoods and safe Web domains, and then there are places no one should ever visit," said Mark Maxwell, a McAfee senior product manager, in a statement.

Read the ComputerWorld article


Reuters launches first market led solution to MiFID regulations

Reuters today (12 March 2007) announced a package of measures aimed at solving the most pressing data problems for clients who will soon have to comply with Europe's Markets in Financial Instruments Directive or MiFID.

From November 1st this year, MiFID will require investment firms to execute trades efficiently at the best price, publish that information and show that the best price was obtained for clients. In response Reuters is offering a suite of solutions, developed with clients, which will allow users to meet the key demands of MiFID.

Today's announcement means that these requirements can all be handled by Reuters and will be offered based on proven solutions in use by customers today.

read the article


UK Information Commissioner calls for international privacy standards

The U.K.'s information commissioner, Richard Thomas, has called for international harmonization of privacy rules.

His call follows recent disputes between the E.U. and the U.S. over privacy safeguards for European air passenger data and financial transaction information requested by the U.S. as part of its anti-terrorism efforts.

Speaking at the International Association of Privacy Professionals' summit in Washington, Thomas said: "We must all do global privacy better. Information flows do not recognize international boundaries. The internet is rightly called the world wide web. Likewise travel, finance, commerce, telecoms, crime, scams and terrorism all increasingly operate internationally.

"We can no longer go on with different privacy controls in different parts of the world. Inconsistencies cause unnecessary confusion and complexity, increased costs and reduced consumer trust and confidence."

He added: "Greater consistency -- especially between U.S. and E.U. approaches -- will reduce barriers to transferring data and give people better assurances that their personal information is protected wherever it goes."

Read the ComputerWorld article

 


SEC suspends trading of 35 pump-and-dump spam companies

SEC rolls out Operation Spamalot, investigates 35 suspected firms

The Securities and Exchange Commission has taken the drastic step of suspending trading in shares of 35 companies whose stocks have frequently been touted in mass spam campaigns.

SEC officials said on Feb. 8 that the firms involved -- none of which are household names -- have been the subject of repeated spam efforts meant to drive up trading of their securities and, subsequently, the value of the companies themselves.

The trading bans will last for 10 days, after which shares in the involved companies will be unlocked -- unless the SEC's ongoing investigation proves any of the firms were involved in the e-mail schemes.

While the ban might seem unfair to the businesses involved, especially if their names and securities were merely selected by scammers looking for penny stocks to inflate in so-called pump-and-dump operations, SEC officials said that in each business's case, there were sufficient questions raised regarding the "adequacy and accuracy" of information being advertised about the companies.

Criminals have increasingly begun using spam to drive up interest in cheap stocks over the last several years. Before sending out mass messages about a specific firm, the individuals buy stock in the companies in the expectation that, with their e-mails, they can convince other people to purchase shares. When prices of the shares involved rise, the schemers sell off their own holdings, thus the pump-and-dump moniker.

Read the InfoWorld article


Edinburgh Sheriff finds spammer liable for over £1300.

In what is believed to be the highest damages award an individual has received in the UK and thought to be the first case in Scotland, an Edinburgh man has successfully claimed damages from a sender of unsolicited commercial email.

Gordon Dick was granted decree in Edinburgh Sheriff Court against Transcom Internet Services Ltd (Transcom) of Henley-on-Thames. The judgement, in January, awarded Mr Dick damages and, unusually for a small claim, lifted the normal £75 cap on expenses the defender was ordered to pay.

For receiving spam email from Transcom, the court awarded Mr Dick :

Damages: £750 plus 8% interest per annum from 10th May 2006 until paid
Expenses: £618.66
Total £1368.66 (plus interest)

If all 72,000 recipients of this particular spam were eligible to claim the same damages then the spammers bill could total over £54,000,000!

Read the article


Rinbot worm won't go away

The Rinbot worm continues to pester and plague companies, several security organizations said, even as Symantec Corp. declared that its honeypot network had captured traffic showing that a botnet was spreading the malware.

Rinbot is an on-again, off-again threat that exploits a pair of long-patched vulnerabilities -- one in Microsoft Windows' Server Service fixed in August 2006, the other in Symantec's own Client Security and Symantec AntiVirus software, which were patched in June. Rinbot was last in the news a week ago when systems at Turner Broadcasting System Inc., part of Time Warner Inc. and the parent of Cable News Network LP, were reportedly attacked by Rinbot. The worm is also known as Delbot.

Shirley Powell, a spokeswoman for Turner Broadcasting, declined to identify the exploit that hit the company's network. But she confirmed in an e-mail that "we have been hit by a virus." The effect was minimal, but "repairs are ongoing," she said.

Security professionals urged users to patch their systems, but at least one said the Rinbot threat was overstated. "This is [just] one of thousands of bots crawling the Internet today," said Ken Dunham, director of VeriSign Inc.'s iDefense rapid-response team. "Some bots are more interesting than others, and some more sophisticated. There is no large global threat issue with Rinbot variants to date."

Yesterday, however, Symantec posted a warning to customers of its DeepSight threat alert network that honeypots -- deliberately unpatched and unguarded PCs that try to attract exploits for evaluation -- had detected botnet traffic connected to Rinbot's spread. In the attack against the Symantec honeypot, an exploit used the Microsoft vulnerability to compromise the PC, then downloaded a Rinbot variant.

read the ComputerWorld article


France publishes SOX Whistleblower report

On 6 March, a report into the potential establishment of whistleblowing schemes in French companies was published. The report was commissioned by the Minister of State for Employment and reaffirms the CNIL's (the French data protection authority) position that whistleblowing is and should remain an additional means of disclosing important company information, provided that there is no obligation on employees to blow the whistle.

The report argues that a company's whistleblowing scheme must protect the company's interests, but should not be used to "settle old scores" or involve employees in the exercise of disciplinary powers. The report further recognises the importance of protecting the identity and interests of the whistle blowers, stating "it seems legitimate to allocate the same protection to the whistleblower as long as this person has acted in good faith." As such, the report provides for the "possibility of anonymity in certain conditions."

The report proposes that the scope of whistleblowing be limited to a number of situations, such as the commission of acts contrary to legislation or regulations which may seriously harm the running of the company. Proposals are contained in the report to amend the French Labour Code and specifically the areas providing for the information and consultation procedure of the Company's Works Council, if any, and the optional negotiation with the employees' representatives.

read the article


Security expert cracks RFID chip in U.K. passport

Consultant's demonstration raises new concerns about the security of data in RFID chips

A security expert has cracked one of the U.K.'s new biometric passports, which the British government hopes will cut down on cross-border crime and illegal immigration.

The attack, which uses a common RFID (radio frequency identification) reader and customized code,  siphoned data off an RFID chip  from a passport in a sealed envelope, said Adam Laurie, a security consultant who has worked with RFID and Bluetooth technology. The attack would be invisible to victims, he said.

"That's the really scary thing," said Laurie, whose work was detailed in the Sunday edition of the Daily Mail newspaper. "There's no evidence of tampering. They're not going to report something has happened because they don't know."

The British government, which began issuing RFID passports about a year ago, eventually wants to incorporate fingerprints and other biometric data on the chips, although privacy activists are concerned over how data will be stored and handled.

Currently, the chip contains the printed details on the passports, the person's photograph and security technology to detect if those files have been altered.

The attack was executed while the passport was still in its original envelope used to send it from the passport service, since RFID chips can be read from a few inches away, Laurie said. He used a passport ordered by a woman affiliated with No2ID, a group that opposes the U.K.'s biometric passport and ID card programs.

Read the InfoWorld Article

 


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.