News - a Roundup of all the news items between April 2007 and May 2007, Newest First
To avoid long load times news is archived periodically. If you can't find what you are looking for on this page please refer to our archives. Please use the search engine for ease of retrieval.
Main News page |
When Is It Time To Hire A Call Center?
More business is a good thing, but it creates challenges: A backlog of tasks, costly space and equipment demands and, frequently, a phone that won't stop ringing. Many ecommerce business owners turn to customer call centers for help.
That was the case for Revival Animal Health of Orange City, Iowa, a supplier of small animal products. The 65-employee company's growth meant more phone calls from its customer base of breeders and pet owners than its on-site call center could handle. Customers who called after hours and on weekends had to talk to the answering machine.
"It was hard to find people in our community to work on Sundays," said business analyst and accounting/IT manager Karen VandenBrink. It was time for Revival to consider an outside call center.
For most business owners, the switch to a call center is not so much a choice as something thrust upon them, said National Call Centers' executive director David Butler.
"Suddenly every person seems to be spending all their time on the phone," he said. "The whole staff becomes a mini call center. It stops people from dong their work." That's a poor use of time and expertise, said Sharon Rogers of Midco, an inbound customer call center based in Sioux Falls, S.D.
Read the article in Practical eCommerce
Don't underestimate Mifid IT security, warn experts
Finance companies are leaving themselves open to potential lawsuits because they are underestimating the IT security requirements needed to implement the Markets in Financial Instruments Directive (Mifid), experts have warned.
Ambiguities in the directive mean that organisations are leaving decisions on IT security to business analysts, who are less aware of the need to maintain data integrity, said PJ Di Giammarino, chief executive at consultancy JWG-IT.
"The problem is that Mifid does not define accountability or measures for ensuring IT systems are secure," he said. "Maintaining the security of data is implicit in the directive, but it is not made explicit."
Although Mifid does not spell out what steps IT departments should take to secure data, organisations need to be able to show that they have systems in place to ensure that any sensitive data they are holding has not been compromised. Failure to do so could leave organisations exposed to lawsuits.
Read the Computer Weekly article
Only 13% of Financial Services Firms On Track with MiFID Preparations, Reveals SunGard-TradeTech Survey
SunGard, a leading provider of software and processing solutions for financial services, and TradeTech, a leading research firm, announced today (25 April 2007) that according to the firms' joint MiFID readiness survey, only 13% of financial services firms are confident that they are on track to meet new MiFID regulations. Over 60% of respondents indicated that their preparations for the directive still required some work, despite the rapidly approaching November deadline.
The survey results, taken from the third in a quarterly series of polls undertaken by SunGard and TradeTech, reinforce those of an earlier poll in which over 65% of respondents admitted that they were yet to even identify or plan operational budgets to meet the demands of the directive.
With only three European countries meeting the January 31 st deadline for transposition of MiFID regulations to local law, 63% of those surveyed believed that, even if other EU countries failed to meet the November deadline, those countries that were on track should not delay their own implementations. This response comes despite respondents' concerns that MiFID-ready countries may be placed at a competitive disadvantage to those falling behind. Forty six percent of those surveyed also stated that they remained concerned that their own national regulators would add further complexity to MiFID through the imposition of national laws and additional guidance.
Read the article
Phishing attack evades bank's two-factor authentication
A two-factor authentication system operated by Dutch bank ABN Amro has been compromised and money stolen from the online accounts of customers who fell for a phishing scam.
Two-factor authentication for online banking usually involves passwords and tokens which provide synchronised, constantly changing numbers to use as additional evidence of identity.
The security industry has promoted the tokens as a preventative measure against hacking for users of remote corporate or banking systems. However, experts have warned that they are still vulnerable to phishing attacks, where fraudulent emails lure recipients to bogus websites that are set up to gather security details.
read the article in The Register
New Ponemon Study Details U.K. Trends in Enterprise Encryption Adoption
PGP Corporation, a global leader in enterprise data security and encryption solutions, today announced at Infosecurity Europe 2007 results from a new U.K.-based study on enterprise motivations and strategies for protecting data with encryption. The Ponemon Institute's "2007 Annual Study: U.K. Enterprise Encryption Trends" shows U.K. businesses believe protecting their brand and reputation is the most significant factor in their decision to deploy encryption technology. The survey also reveals that only 9 percent of U.K. companies have an enterprise-wide encryption strategy.
This study focused on identifying trends in encryption use, planning strategies, and deployment methodologies in U.K. IT organisations. The respondents included 541 U.K.-based IT and business managers, analysts, and executives, 65 percent of whom were at the manager level or above. Key findings of the study:
Read the article
Banks prepare lawsuit over TJX data breach
In a move that was widely expected, three New England banking associations and some individual banks announced they will sue TJX Companies Inc. over the data breach that exposed at least 45.7 million credit and debit card holders to identity fraud.
Banks have suffered a heavy financial toll over the breach, having to shell out a significant sum of money to replace compromised cards and cover fraudulent charges traced back to the TJX incident.
The Massachusetts Bankers Association, Connecticut Bankers Association, Maine Association of Community Banks and some individual banks will file the lawsuit in U.S. District Court in Boston Wednesday. Nearly 300 banks are represented by the New England associations.
Dan Forte, president and chief executive of the Massachusetts Bankers Association, told the Associated Press (AP) that his organization will invite other state bank groups from around the country to join the lawsuit, which seeks class-action status.
Read the artivcle on Seach Security.com
Tablus Brings Next Generation Content Discovery to Large Enterprises
Tablus Inc., a leading provider of comprehensive content loss prevention solutions, today (24 April 2007) announced the availability of the next generation of content discovery for large enterprises. The company's release of Content Sentinel 3 represents a revolutionary approach and the industry's most viable solution for discovering sensitive content residing on corporate networks and work stations. The solution is a vital component for the IT security architecture of today's large enterprises - many of which have tens of thousands of servers and computers containing petabytes of digital content. To truly protect customer data, corporate assets and brand equity, organizations need to first locate their sensitive content across these large repositories.
"In today's content driven business environment, where information grows by the day, companies are increasingly at risk for the loss or misuse of sensitive or confidential content," said Brian Burke, research manager of security products at industry analyst firm IDC. "Whether intentional or accidental, the data breaches gripping newspaper headlines are primarily driven by an enterprise's inability to locate, and consequently protect, sensitive information. Content discovery, or the ability for organizations to locate sensitive, at-risk content, is vital."
According to a 2007 research study sponsored by EMC Corp. titled "The Expanding Digital Universe," IDC estimates that the world generated 161 billion gigabytes of digital information in 2006, a volume of content that poses new challenges for corporate governance and compliance as well as overall corporate reputation. Organizations that do not effectively incorporate content discovery into their overall IT security architectures run the risk of non-compliance with strict state and federal policies around the protection of Personally Identifiable Information (PII) and data governed by the Payment Card Industry (PCI) Standard. More dangerous than facing the fines associated with a breach of these regulations, however, is the negative impact that the loss or theft of sensitive content has on brand, shareholder value and customer loyalty.
Read the article
Nationwide Foils Phishers with Help from MarkMonitor
Financial services giant achieves ROI with Antiphishing Solutions in just three months
April 18, 2007 – MarkMonitor®, the global leader in enterprise brand protection, announced Nationwide Building Society (Nationwide), the U.K.-based financial services giant, has successfully deployed Antiphishing Solutions from MarkMonitor to automatically identify and shut down phishing scams. After just three months of use, Nationwide reports the solution has paid for itself in prevented phishing and other online fraud attacks.
According to the Anti-Phishing Working Group (APWG), 90 percent of phishing attacks carried out in December 2006 were perpetrated against financial services companies. The Anti-Phishing Working Group also estimates that overall financial losses due to phishing top $1 billion per year. As a leading European financial institution, Nationwide found itself one of the targets for online scammers.
To combat this issue, Nationwide created a Strategic Fraud Initiative group within the company and turned to MarkMonitor for its comprehensive Antiphishing Solutions. Implemented in just 10 days, MarkMonitor made an immediate impact on Nationwide's bottom line, shutting down hundreds of phishing scams within the first few months.
Prior to working with MarkMonitor, Nationwide staff manually tracked phishing scams carried out against the company. "It became extremely difficult to shut down phishing sites quickly enough and cope with the number of incoming e-mails from customers reporting phishing attacks or suspicious-looking Web sites," said Peter Corrie, Head of the Strategic Fraud Initiative for Nationwide.
read the article
Phishing fraudsters widen net
The number of banks targeted by phishing attacks sky-rocketed in March, according to new figures from the ‘war-room' of RSA Security, the security division of EMC.
The security outfit's Monthly Online Fraud Report found that 202 banks were struck by cyber-criminals last month, a “dramatic increase” on the 153 attacks recorded in February.
Some ten per cent of brands attacked were located in the UK, placing the country second in the rankings behind the US, which hosted a whopping 73 per cent of attacks.
Read the CRN article
Cowen publishes the Markets in Financial Instruments and Miscellaneous Provisions Bill 2007
The Irish Minister for Finance, Mr Brian Cowen TD, today (20 April 2007) announced that the Irish Government had approved the publication of the Markets in Financial Instruments and Miscellaneous Provisions Bill 2007.
The EU Markets in Financial Instruments Directive (MiFID) was recently transposed into Irish law. The MiFID harmonises and modernises the EU-wide legislative framework for investment firms, promoting greater cross-border competition and the competitiveness of the EU financial sector overall.
The Bill being published today provides for some complementary measures to specify significant penalties following conviction on indictment for breaches of regulatory requirements under MiFID.
The Bill is also being availed of to make a range of largely technical amendments to various Acts including those concerning the National Treasury Management Agency, the Financial Regulator, the Financial Services Ombudsman, Ministerial pensions and credit unions.
Read the FinFacts Ireland article
Determine if SSL connections are truly secure
When users browse to a Web site that begins with HTTPS, they expect that connection to be secure via Secure Sockets Layer (SSL), a protocol for transmitting secure documents via the Internet.
The majority of Web sites use this protocol to obtain sensitive data (e.g. shopping cart data and credit card numbers from customers).
An HTTPS Web site may make most users feel relatively secure, but this alone doesn't guarantee secure transactions. To properly protect your organization's users--as well as corporate data that unsecure transactions could leave open to exposure--make sure your users understand how to properly evaluate a Web site's security.
Read how on ZDNet India
Merchants Advancing Slowly on Data-Protection Efforts
Merchants are taking a harder look at complying with industry standards to safeguard credit card data, according to an RSA, the Security Division of EMC, study released April 16.
Of those surveyed, 68% have made moderate progress in complying with Payment Card Industry standards. Another 10% have made significant progress. About 47.5% of respondents said reported they are PCI compliant.
PCI standards were created by American Express, Discover Financial Services, JCB International Credit Card Co., MasterCard Worldwide, and Visa International in 2004 to protect customers’ credit card data through its lifecycle. The standard was most recently updated last September.
"The [PCI] guidance has very specific requirements," said Dave Howell, Solutions Manager at RSA, a security-technology vendor. "It’s very prescriptive, with more than 230 requirements."
Read the BankNet 360 article
Online security implementation is key to protecting brand: AOTS speakers
Cyber security is an issue facing all businesses online and implementing a security plan is key to protecting against online fraud, according to executives at the Authentication and Online Trust Summit.
In yesterday’s opening keynote panel called “How to Fry a Phish and Protect Your Brand Domain and Infrastructure,” executives discussed strategies to building a security system online. Shutdowns and browser e-mail blocking are vital to hosting a secure Web site because they will update the security of a site.
"A layered approach is key because fraudsters will often be able to penetrate one layer of your online identity," said Jens Hinrichsen, product marketing manager at RSA.
In addition, it is important to create a protective system when outsourcing e-mail. An e-mail provider should know how the brand is using communications and managing campaigns.
Read the DM News article
Popular Web Sites Highly Vulnerable to Attack
Eight out of ten Web sites contain common flaws that can allow attackers to steal customer data, create phishing exploits, or craft a variety of other attacks, a security company reported today.
WhiteHat Security regularly scans hundreds of "very popular, very high-traffic sites" for its online business customers, says Jeremiah Grossman, the company's founder. "More than likely, you have shopped there, or bank there," he says. Thirty percent of scanned sites contain an urgent vulnerability, such as one that allows direct access to a company database with customer information, he says.
Two out of three scanned sites have one or more cross-site scripting (XSS) flaws, which take advantage of problems with sites' programming and are increasingly used in phishing attacks. A recent eBay scam used a now-fixed XSS hole on the auction site to direct anyone who clicked on a phony car auction to a phishing site.
read the PC Word article
Online consumers not scared off by cyber criminals
Research from BT with support from the University of Plymouth and part funded by the DTI, indicates UK citizens are not ICT risk-averse
UK consumers are not as risk-averse when it comes to using online services as previously thought, according to recent research conducted by BT. Despite daily warnings about security threats and cyber-criminals, people are willing to take risks online, as long as they feel informed, and it is clear how consequences will be addressed.
According to the findings from the Trustguide report, which was a collaborative research project by BT with support from the DTI, people use specific online services not because they trust them, but because they believe the benefits outweigh the risks. Government and private industry must therefore take responsibility for educating and reassuring the public that safeguards are in place, if they are to succeed with e-Government and e-Commerce initiatives.
As a long-standing target for fraudulent activity, the banking industry has been particularly robust in communicating security measures to customers using internet banking services and, in many cases, guaranteeing to refund victims. Consequently, it has been successful in attracting customers online. Recent figures from Apacs show that the number of UK customers using Web banking services has outstripped those using telephone banking for the first time.
Read the article
DechertOnPoint - A Legal Update from Dechert's Data Protection and Privacy Group - April 2007
Data Protection Developments in Europe, from Whistleblowing Principles to Security Breach Planning
Data protection and privacy issues in the EU vary by member state: The Belgian Privacy Commission issuing an opinion on a telecommunication network's failure to comply with its obligations when transferring data to the US and a recommendation containing basic principles on whistleblowing. In Germany, the thresholds for the requirement for a data protection officer have been increased. T he French Data Protection Authority has issued recommendations on the methods to be used in order to measure the diversity of the origin of employees. And in the UK, security breaches serve as a reminder that firms must continue to assess Information Security risks and develop contingency plans.
Read the article and DechertOnPoint
Chi-X Successfully Begins Full Equity Trading, Clearing and Settlement
Pan-European ATS now fully trading AEX 25 and DAX 30 indices, with clearing services provided by Fortis; Credit Suisse's Advanced Execution Services begins providing externally routed order flow; BNP Paribas approved as “General Clearing Participant”
Instinet Chi-X® Limited, a pan-European equity alternative trading system (ATS), today (16 April 2007) announced that it is successfully trading, clearing and settling the component stocks of the AEX 25 (Dutch) and DAX 30 (German) indices with the help of Fortis’ European Multilateral Clearing Facility (EMCF) entity, a non-exclusive partner. With this phase of the Chi-X rollout in place, the integrated system is now the first to offer trading and clearing services that completely bypass Europe’s existing exchanges and central counterparty infrastructure.
Chi-X will begin trading the component stocks of the FTSE 100 index by the end of Q2. The other major European markets will be introduced ahead of MiFID later this year. Chi-X has been in live beta production since November 2006, during this time successfully executing trades from Instinet’s client order flow.
“Chi-X is a completely open and MiFID-compliant trading platform, allowing institutional and private client investors to access it through any broker that connects to Chi-X and becomes an accredited partner,” said Tony Mackay, Managing Director of Instinet Chi-X Limited. “We strive to provide market participants with an attractive alternative to trading on the incumbent exchanges, and it is also our intention to make offers of equity ownership to selected participants.”
Read the article
MessageLabs Intelligence Targeted Attack Report: Increase in One-on-One Targeted Attacks
MessageLabs, a leading provider of integrated messaging and web security services to businesses worldwide, today (18 April 2007) revealed new data on the levels, victims and sources of targeted email attacks in March 2007. Last month MessageLabs intercepted 716 emails in 249 separate targeted attacks aimed at 216 different organizations. Of these, almost 200 were one-on-one targeted attacks where the tailored attack comprised a single email designed to infiltrate one organization. These numbers represent a significant increase when compared to the same period last year when attack rates reached one or two per day.
For the first time, PowerPoint has emerged as the most common exploit vector, likely driven by the large number of attacks perpetrated by one gang using the same attack file, mostly originating from an IP address within Taiwan. Achieving notoriety as a carrier of typical email viruses, .exe files only accounted for 15 percent of the targeted attacks, while the more familiar Microsoft Office suite accounted for 84 percent of targeted attacks in March 2007.
Other characteristics of these attacks include that they are typically timed to arrive during the busy workday and rarely over a weekend and most commonly target these five industry sectors: electronics, aviation, public sector, retail and communications.
“The bad guys know which organizations have data worth stealing and are picking them out one by one,” said Alex Shipp, Senior Anti-Virus Technologist, MessageLabs. “These targeted attacks are highly difficult to detect as the large majority consist of a single email to one individual, which means they never have anti-virus signatures created by traditional anti-virus software. However, if you happen to be that one company targeted the impact could be devastating. A proactive anti-virus defense, such as MessageLabs Skeptic™ technology is essential along with employee education and vigilance since many of these attacks are highly personalized.”
Read the article
Vast majority concerned about data security, finds study
Research released today has found only 5% of respondents claimed not to be concerned about the security of their personal data.
The Mori poll conducted among 1,243 UK consumers at the end of March also revealed nearly two in three (63%) are concerned about the ability of datacentres to protect their data in the UK and abroad.
As result, more than half (58%) of respondents want government bodies to take greater responsibility for the protection of personal data. A massive 82% would expect to be notified immediately in the event of a data breach.
Paul Davie, chief executive of UK database security supplier and research sponsor Secerno, said the research reflected the consumer reaction to recent high-profile security breaches.
Last month, building society Nationwide was fined £1 million by the Financial Services Authority and TJX – parent of UK retailer TK Maxx – admitted the credit card details of 45 million customer worldwide had been compromised.
Read the Computer Weekly article
Data collation can evade Data Protection Act
Court of Appeal overturns data processing ruling:
The selection and collation of information from several files held on a person does not necessarily count as processing of personal data, according to the Court of Appeal. The activity can escape the remit of the Data Protection Act.
The Court of Appeal overturned a High Court decision on the issue of the creation of personal data, though the practical result of both rulings was the same.
David Paul Johnson took a case against the Medical Defence Union (MDU), a non-profit body which provides indemnity policies for its members. The MDU had refused to renew Johnson's policy after it conducted a review of his case and Johnson argued that the organisation had not processed his data fairly and had therefore breached the Data Protection Act.
Read the article in The Register
3M's Brand Protection and Authentication Product Line Bolstered by Leading Secure Serialization and Web Authentication Capability
Thanks to a new partnership agreement with the product and supply chain security company Verify Brand, 3M 's brand protection and authentication product line will offer customers the additional capability of confirming product authenticity, location and tracking of products via the Web using secure mass serialization technology.
The two companies will work together to combine 3M ' s extensive array of materials-based security solutions and Verify Brand ' s experience with its unique and patent-pending electronic product authentication solution. The agreement will allow 3M to sell, market and produce the Verify Brand platform of software products and services as an additional security layer to its customers across the globe.
The integrated and comprehensive solution enables brand owners to securely serialize their products using any method of carrying a unique code on a product, its label or package. Unique codes can be authenticated via the Web using a computer, call center, SMS or text messaging, bar code scanners or RFID tags. The solution also enables the authentication of materials security included on product labels or packaging. The technology also has additional benefits such as real-time tracking, alerts, field reporting, management of and response to unauthorized events, as well as ad hoc and scheduled reporting on authentication activity. This enables manufacturers to dramatically increase visibility into their supply chain and thereby more proactively address a multitude of supply chain issues, including counterfeiting, diversion, return and warranty fraud, manufacturing overruns, product recalls and field inventory management. The ability to authenticate products can also be marketed to consumers as an additional security feature.
Read the article
Many EU states face legal action over MiFID
The European Commission is preparing legal action against many European countries for failing to introduce sweeping new financial services rules into national law on time, an EU source said on Thursday.
Data provided by the EU executive showed that only three of the bloc's 27 members -- Britain, Ireland and Romania -- met the January 31 deadline for transposing the Markets in Financial Instruments Directive, or MiFID, into national law.
"It is expected that within the next few weeks infringement proceedings will be started against countries that have not transposed MiFID," the EU source said.
The European Commission declined comment.
The source said it was unclear when the cut-off point would be for determining which countries faced legal action as some states are due to transpose the rules this month or in May.
Read the Reuters Italia article
SpamX Anti-spam app hindered by complexity
I generally like applications with an attitude -- they understand their mission, and their makeup and design make no bones about the way they intend to accomplish it. I'm not, however, enamored of attitudinal applications that are difficult to configure and confusing to navigate. Regrettably, that pretty well sums up SpamX 3.0.2.
More than any other spam utility I've tried, SpamX focuses on combating spammers by offering extensive reporting options. The program can extract what it thinks is the originating address of the spam and report it to the originating ISP's abuse address. Regrettably, it's hard to tell how effective this is in either catching existing spam or preventing new spam. When I reported several dozen spam messages, I received at least a dozen confirmation and undeliverable mail messages, which just added to my inbox clutter.
While you're not absolutely required to have a degree in computer science to use SpamX, it certainly wouldn't hurt. This Java-based program is configured through a single window that incorporates eight menus (much like Windows applications). Options included in this window, such as Class B Match and Source Consistency, will confuse a lot of people, and the program's Help menu isn't very helpful -- invoking it takes you to the SpamX Web site, which offers the barest instructions on how to set up the program.
Read the IT World Canada article
Australia - Local security for other nations
Security experts believe Australia's geographical isolation represents an opportunity to offer secure online services to nations with poor reputations for security.
John Debrincat managing director of leading eBusiness solutions provider, eCorner said Australian eCommerce currently lags the more mature European and US markets by two to three years and that means the industry can learn from their mistakes and improve our success rate.
Debrincat believes Australia's low profile and the fact that the country has only a few highly secure conduits for online traffic in and out of the country gives us a far greater ability to control and protect users than Europe, North America or parts of Asia.
Read the SC Magazine article
How a virus blackened my reputation
We all like to think of ourselves as popular, so it comes of something of a shock to find yourself on a blacklist. But that's exactly what happened to me last week or, rather, to my public IP address which, if you rely on email, is an equally damaging slight. Moreover, it's an illustration of the fact that no matter how well protected you think you are, network security is easily breached.
It all started when my outgoing emails started to bounce back. Not all of them, just a few (including those to IT Week), leading me to think that it was a problem with the receiving servers. But then a pattern emerged. The bounce-backs were all from servers using MessageLabs filters, telling me in no uncertain terms that I was a suspected spammer and needed to do something about it.
A quick search on www.dnsstuff.com soon revealed the cause. There was my public IP address on not just one, but five blacklists, clearly highlighted as a potential source of spam. According to the mail logs at my ISP, the messages weren't being sent by their servers, so a mass-mailing virus on a machine somewhere on my LAN was the most likely culprit. Equipped with the latest updates I diligently checked all my PCs and servers for viruses. I even checked machines running Linux, but all came up clean. Yet I was still being blacklisted.
Read the article at Active Home
Security Enforcement, The Cooperative Way
Imagine all of your network and security devices working as a unit to enforce security policy. That's the vision of "cooperative policy enforcement," an emerging concept being promoted by Aventail.
Aventail late this summer or early fall will add SOAP-based interfaces to its SSL VPN gateways that will support cooperative policy enforcement among its products and other networking and security tools, Dark Reading has learned.
While network admission control (NAC) is emerging and there are many different policy enforcement tools available, there still isn't a common, coordinated structure for enforcing policy across all devices. Chris Hopen, CTO of Aventail, says the key is having a broader policy that aggregates the traditionally separate policies of firewalls, routers, switches, VPN gateways, and NAC boxes.
CheckPoint Software already offers a similar approach with its Integrity NAC products. It integrates policy elements of NACs and gateways, for instance, using IEEE 802.1x standards, says Rich Weiss, director of endpoint marketing for CheckPoint. "Any NAC approach has to work in different environments, whether it's Aventail, CheckPoint, etc."
Read on at Dark Reading
Chinese spammers go quiet
THE amount of spam originating from China dropped dramatically in the first three months of the year, an IT security firm says.
In the period from January to March, China accounted for 7.5 per cent of all worldwide spam, Sophos said in a statement. This compared with 21.9 per cent in the year-earlier period.
"China, who until recently was an intimate rival to the US, dropped dramatically during the last quarter," said Carole Theriault, a senior security consultant at Sophos.
No immediate explanation was provided in the statement as to why spam had declined from China, otherwise seen as a spam superpower.
However internet communications from China and elsewhere in Asia have only recently recovered from damage to undersea cables caused by an earthquake near Taiwan last December.
Read the article in Australian IT
PCI Won't Save You
You'd think that the Payment Card Industry (PCI) standard for protecting consumer credit card information would be chock full of requirements for protecting against the loss of personally identifiable information. Or that security teams would be able to use the 12 requirements as a template for protecting against all kinds of sensitive data losses.
Unfortunately, it's not, and they can't.
Both PCI and the Sarbanes-Oxley Act focus more on the integrity of the data and the processing infrastructure. Neither one requires much in the way of data leakage detection. So to avoid being the next TJX on your block, here are a few steps to consider for protecting your business:
Read more at Dark Reading
Shops in rush to meet card security rules
Time is running out for organisations that handle credit card payments to make their systems compliant with a new security standard, experts have warned.
In less than three months, the Payment Card Industry , which represents credit card companies, will bring in the PCI Data Security Standard (DSS) to help safeguard customer data.
But there are fears that many smaller retailers, in particular, will not be ready for the 30 June deadline and could face fines.
The PCI DSS sets requirements for the monitoring and storage of credit card information to four levels of security, depending on the volume of credit card transactions being handled.
Firms with large numbers of transactions are required to monitor closely all access to stored credit card information, and they can be audited qua
rterly at a cost of up to £10,000 a time to ensure best practice is adhered to.
Read the Computer Weekly article
Privacy essential for corporate governance
Privacy is now a cornerstone of corporate governance,” says Toby Stevens, director of Enterprise Privacy Group and keynote speaker at the ITWeb Security Summit 2007 , to be held at Vodaworld from 22 to 25 May.
Stevens says privacy must be treated as a critical part of an organisation's corporate governance infrastructure, and assigned the same priority and penalties as any other aspect of that infrastructure.
“If privacy isn't mentioned in the annual corporate governance report, then something has gone wrong,” says Stevens.
The problem with privacy, is that unlike security, this makes it extremely difficult to mandate standards for the handling of personal information, since we all require different levels of control, he says. He adds that data protection laws provide frameworks to ensure that organisations go through due process in the handling of personal information, but they don't specify standards for how to actually do it.
Read the IT Web article
Don't use obsolete WEP for WiFi, say German security researchers
The Wi-Fi security protocol WEP should not be relied on to protect sensitive material, according to three German security researchers who have discovered a faster way to crack it. They plan to demonstrate their findings at a security conference in Hamburg this weekend.
Mathematicians showed as long ago as 2001 that the RC4 key scheduling algorithm underlying the WEP (Wired Equivalent Privacy) protocol was flawed, but attacks on it required the interception of around 4 million packets of data in order to calculate the full WEP security key. Further flaws found in the algorithm have brought the time taken to find the key down to a matter of minutes, but that's not necessarily fast enough to break into systems that change their security keys every five minutes.
Now it takes just 3 seconds to extract a 104-bit WEP key from intercepted data using a 1.7GHz Pentium M processor. The necessary data can be captured in less than a minute, and the attack requires so much less computing power than previous attacks that it could even be performed in real time by someone walking through an office.
Anyone using Wi-Fi to transmit data they want to keep private, whether it's banking details or just e-mail, should consider switching from WEP to a more robust encryption protocol, the researchers said.
"We think this can even be done with some PDAs or mobile phones, if they are equipped with wireless LAN hardware," said Erik Tews, a researcher in the computer science department at Darmstadt University of Technology in Darmstadt, Germany.
Read the InfoWorld article
ABN pays out over hacked accounts
ABN Amro has compensated four customers who lost cash when hackers stole money from their accounts using a malware phishing technique.
The hackers overcame the bank’s two-factor authentication system by first sending the victims an e-mail containing an attachment.
The bank’s customers opened the attachment which installed malware on their machines. This malware changed the customers browser settings, so when they tried to visit the ABN Amro site they were instead directed to a spoof copy of the site.
Read the Computer Weekly article
Digging into data privacy dilemmas - Compuware
The global environment in which many institutions now operate introduces a whole new set of challenges for today's executive; identity theft syndicates, data privacy legislation and Sarbanes-Oxley are driving organisations to review how they handle customer sensitive data. Beverley Roche, Data Privacy specialist for Compuware Asia-Pacific Pty Ltd examines the state of current security threats and the measures companies should now be taking to protect data.
Knowing who has what private information, what they do with it and who they give it to is essential, not only for regulatory compliance but also for meeting customer expectations. Customers will insist on trust and trustworthiness with their confidential data. Those organisations that can provide trust and confidence in this domain will maintain strong competitive advantage avoiding damage to their reputation. Pragmatic organisations will embrace and benefit from implementing data privacy solutions, knowing they are strengthening consumer trust and therefore protecting their company brand and image.
Read the International Developer article
Microsoft Warns of New Zero-Day Exploit
Microsoft is reporting very limited attacks against the newly reported ANI vulnerability, but some security researchers believe the new ANI exploit has similar potential to last year's Windows Metafile attacks, which rank among the most dangerous and widely exploited vulnerabilities since the Zobot worms of 2005.
On Thursday, Microsoft warned that hackers are actively exploiting a zero-day vulnerability in animated cursor, or .ANI, files for Windows. Some security researchers are comparing it to last year's widespread Windows Metafile (WMF) attacks.
Users of most supported versions of Windows and Windows Server, including Vista, are at risk of attackers taking complete control of their system. However, Microsoft offered a silver lining: Users running Windows Vista and Internet Explorer 7 in protect mode should be safe because the security feature doesn't allow files to access or modify any system files without user permission.
"In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or e-mail attachment sent to them by an attacker," Adrian Stone from Microsoft's Security Response Center, wrote in an official advisory.
read the article in TopTech News
Windows zero-day flaw 'very dangerous,' experts say
With Vista at risk, eEye issues unofficial patch; attacks traced to Chinese hackers
The Windows zero-day bug now being used by attackers is extremely dangerous, security researchers said Friday, and ranks with the Windows Metafile vulnerability of more than a year ago on the potential damage meter.
"This is a good exploit," Roger Thompson, CTO of Exploit Prevention Labs, said in an instant message exchange. "It's very dangerous. One of the reasons is that there's no crash involved...it's instantaneous. And all it takes is visiting a site."
Thursday, Microsoft's Security Response Center (MSRC) issued an advisory acknowledging a bug in Windows' animated cursor, a component that lets developers show a short animation at the mouse pointer's location. Attackers, who are already exploiting the bug in limited fashion, can hijack PCs by tempting users to malicious Web sites or by sending them a malformed file via e-mail.
Other researchers waded in Friday with warnings of the animated cursor danger. "This is reminiscent of the former Windows Metafile (WMF) attacks from 2005 and 2006," Ken Dunham, director of VeriSign's iDefense rapid response team, said in an e-mail. "It's trivial to update, multiple sites now host the code in a short period of time, and the highly virulent file exploitation vector within Windows Explorer exists."
Read the article in ARN Net
Bluetooth 'poses serious threat to business'
Businesses are at serious risk of criminal activity using the Bluetooth wireless connectivity system. Financial adviser Grant Thornton says the widely used short-range system is a major threat to busineses.
Grant Thornton said key areas for concern include Bluetooth pairing attacks, where an attacker gains full access to memory content and becomes a trusted device.
There is also the threat of BlueSnarfing , where a hacker gains access to phonebook and calendar information and can divert calls to their own phone.
In addition, BlueBug attacks can allow an attacker full access to a device to initiate calls, including premium rate phone calls to a premium line they have set up themselves.
John Dunne, IT security manager with Grant Thornton's risk management services practice said, "Businesses are leaving themselves open to the possibilities of fraudulent activity, particularly as there are a number of very simple precautions that can be undertaken to ensure that the likelihood of an attack is minimised, such as disabling the Bluetooth signal on your device when it's not in use."
Read the Computer W"eekly article
VASCO Adds SSL-VPN Service to aXs GUARD Authentication Appliance
Important Addition to Over 20 Different aXs GUARD Service Based on VACMAN Core Authentication Platform; Combination Authentication & SSL-VPN Killer Application for both Large Corporations and SME's; Product Showcased at Infosecurity UK
VASCO Data Security International, Inc., the leading software security company specializing in authentication products, today (29 March 2007) announced that it has added SSL-VPN functionality to its award winning aXs GUARD Authentication Appliance. The company added that it will showcase this product at Infosecurity UK (London, UK, 24-26 April, www.infosecurity.co.uk ), the leading information security trade show.
aXs GUARD is VASCO's authentication appliance product line. Based on VASCO's renowned VACMAN authentication platform, aXs GUARD combines Digipass strong user authentication with a range of over 20 Internet communication services.
aXs GUARD's key markets are the global Enterprise Security market, for both SME's and larger corporations + the small and middle sized banking sector.
Read the article
Phishing Sinks Confidence in E-Commerce - Gartner
Consumers, fearing ID theft, are more cautious about shopping online.
Consumer confidence in the security of their online transactions is slipping due to the growth of phishing-related fraud and identity theft, Gartner reports. As a result, consumers are curtailing their online purchases.
Phishing is the sending of an e-mail by cyberthieves with a link to a fake website that is disguised to look legitimate, in order to lure recipients into divulging personal information. Gartner estimates that 73 million adults who use the Internet received a phishing e-mail between May 2004 and May 2005, and that 2.4 million online shoppers lost money as a direct result of phishing.
Most of the losses were repaid by banks and credit card companies. Nevertheless, 75 percent of the 5,000 online consumers who Gartner surveyed said they have become more cautious about where they shop online, and one-third reported buying fewer items than they would typically purchase due to security concerns. Eighty percent of those surveyed said they now trust commercial e-mail less, while 85 percent claimed to delete unexpected e-mails without ever opening them.
Read more in CIO India
e80 - Security Breach - TJX Shareholders Sue Directors?
The US parent of stores group TK Maxx is being sued in the US by one of its shareholders after it reported that details of some of the credit cards its customers had used had been hacked. The shareholder has issued proceedings in Delaware for internal documents relating to the hacking in what may be a pre-cursor to an action against the company or its board. An indication that the board might be the target could be the specific request that the company disclose its board minutes.
Read the article
TJX Reveals Extent Of Hacker Damage
An internal investigation at TJX has revealed that the parent company of T.J. Maxx and Marshall's had fallen prey to a computer hacker for a longer time than initially suspected, resulting in an even greater loss of customer credit information.
TJX (nyse: TJX - news - people ) revealed on Wednesday that at least 45.7 million credit and debit card numbers were stolen over an 18-month period.
The company also said another 455,000 customers who returned merchandise without receipts had their personal data stolen, including driver's license numbers.
TJX disclosed the thefts as part of a filing to the Securities and Exchange Commission. The filing gives the first detailed account of the breach, which was initially disclosed in January.
The stolen data cover transactions dating as far back as December 2002, TJX said in the filing .
TJX is the owner of clothing retailers T.J. Maxx, Marshall's, as well as other stores in North America and the United Kingdom.
read the article in Forbes
Nottinghamshire Laptop theft compromises childrens' data
Three laptops, one of which contains the names, addresses and dates of birth of 11,000 children in Nottinghamshire have gone missing from Nottinghamshire County Teaching Primary Care Trust.
The computers went missing on 21 March. The trust, which was only set up last October, says it has written to all parents of the children involved, warning them of the theft.
The laptop is said to have been password protected, but the information is not thought to have been encrypted.
Trust chief executive Wendy Saviour said, “When we discovered the theft, we immediately took steps to determine the nature of the information held on these computers.”
She said one of the computers contained names, addresses and dates of birth of local children, aged between eight months and eight years. The children are from the Newark & Sherwood, Ashfield and Mansfield areas of the county.
read the Computer Weekly article