Compliance and Privacy
Compliance and Privacy News )
Essential Reading for Today's Business 4 January 2007

in this issue:
  • The Phone Phisher Cometh
  • Teens as Young as 14 Lured into Life of Virtual Criminology
  • Digital Brand & Fraud Protection Services
  • Commercial Mobile Service Alert Advisory Committee
  • VeriSign Security Review - December 2006
  • What is Rock Phish? And why is it important to know?
  • Preventing Malicious Code from "Phoning Home"
  • New specialist blogs

    Dear Visitor,

    It's almost too much of a rush with compliance, privacy, and security to have time to say "Happy New Year"; there was no letup over the Christmas break. About the only thing that slowed down was pump and dump spam because exchanges were not open enough, but that slowing was only a few percentage points!

    We're planning to be back to a newsletter every two weeks. There's so much news at present that a monthly newsletter is too long. Even this one is not short, so I'll keep the introduction brief!

    Apart from two new blogs, though we mentioned Michael Farnum briefly in the last newsletter, we're looking at:

    • Phone Phishing. I got phished by phone a year or so ago, and it's time to tell you about it
    • The luring of our kids into cybercrime, quite a nasty area
    • The VeriSign Security review, courtesy of our sponsor
    • Rock Phish, the elusive, probably Romania based, phishing party
    • Details of Digital Brand protection
    • The chance to register for the latest iDefense WebCast

    As usual we love getting your feedback. Feedback means we make sure we send the things you want to read. Either reply to me directly, or, even better, put your thoughts on one of the discussion groups. The link is at the foot of this newsletter.

    Peter Andrews

    The Phone Phisher Cometh

    Prompted by an article in The Hindu Businessline, Peter Andrews, editor of Compliance and Privacy recalls his own brush with attempted phone phishing and ID Fraud.

    Andrews received a phone call a month or two before the UK Chip and PIN cut over date. He banks at First Direct, a bank set up to handle the phone first and foremost, and he was unaware that he was about to receive a new credit card, so he was not surprised that it did not arrive. And the First Direct phone system is pretty secure, with variable questions asked.

    The call was simple. And it was in the form that the bank uses. The bank, when it calls, asks a couple of security questions, and these are usually the type with a "standard" answer, like "mother's maiden name". The "expected call centre voice" asked and was answered. There was no reason to suspect a thing at this point.

    The rest of the call was both professional and also odd. Questions about supermarkets used were, at best, unusual. The killer question was "Please tell me a four digit number associated with your card?"

    Teens as Young as 14 Lured into Life of Virtual Criminology

    The McAfee Virtual Criminology Report 2006 marks the second annual McAfee report into organized crime and the Internet. The study, which used input from Europe's leading high-tech crime units and the FBI, suggests that crime gangs are targeting top students from leading academic institutions in order to provide them with the skills they need to commit high-tech crime on a mass scale.

    The study reveals how Internet savvy teens as young as 14 are being attracted into cybercrime by the celebrity status of high-tech criminals and the promise of monetary gain without the risks associated with traditional crime. The report also shows how cybercriminals are moving away from bedrooms and into public places such as Internet cafes and wi-fi enabled coffee shops.

    Other key findings from the McAfee Virtual Criminology Report 2006 include:

    • The Cult of Cybercrime: Cybercrime has established a cult following with online offenders rising almost to celebrity status within hacking communities. Specialist forums to highlight potential security issues have also served to showcase 'black hat' tricks and criminal opportunity
    • The Malware Milkround: Organized crime is now employing KGB-style tactics to ensnare the next generation of hackers and malware authors. Cybercriminals are actively approaching students and graduates of IT technology fields to recruit a fresh wealth of cyber-skill to their ranks
    • Inside Jobs: Taking advantage of inadequate company security procedures, current and former employees, contractors and suppliers are instigating the vast majority of hacking attacks. Cybercriminals are sponsoring graduates with a view to gaining the lucrative insiders' view of enterprises

    Digital Brand & Fraud Protection Services

    Digital Brand and Fraud Protection services help organizations detect, prioritize and rapidly respond to suspicious activities on Web sites, blogs, online user communities, and other sources that can damage brand equity and consumer confidence.

    "Brand equity and reputation, which can be valued at billions of dollars for well known companies, can easily be compromised by online fraud, negative opinions, trademark infringement and improper logo usage," said Mike Denning, vice president and general manager, VeriSign Digital Brand Management Services. "For the first time, companies can protect revenue and their brands by rapidly responding to incidents in near real time. Our new Brand and Fraud Protection Services provide marketing, legal and IT professionals with actionable brand protection and management solutions to detect and counter any unauthorized or improper online activity that could damage their brand image and lead to lost revenues."

    "Firms have to ensure that their brand integrity remains consistent both online and offline," writes Mike Rasmussen, vice president, Forrester Research. "Malicious attacks or internal negligence can lead to compromised customer privacy, inconsistent company communications, or inaccurately published information that ultimately harms the firm's overall brand and online presence."

    With the proliferation of online fraud such as phishing and typo squatting, protecting brands online has become increasingly more important for enterprise companies. According to the Anti-Phishing Working Group (APWG), the number of distinct spoof Web sites rose 52 percent in October 2006 to a record-shattering of 37,444, up from 24,565 a month earlier.

    Commercial Mobile Service Alert Advisory Committee

    The Federal Communications Commission in the USA was directed by Congress to form the Committee as part of the recently-passed Warning, Alert and Response Network (WARN) Act (Title VI of Public Law 109-347). The US committee will establish a national emergency alert system to warn the American public in case of a terrorist attack, natural disaster or other crisis. Over the next year, the Committee will develop and recommend technical standards and protocols to enable mobile service providers to transmit alerts to subscribers' mobile phones.

    VeriSign Security Review - December 2006

    In this edition, learn about the 5 public blogs that VeriSign employees are using to facilitate communication and technology intelligence among customers, partners, and developers.VeriSign is responding to customer and industry needs every day and in November, VeriSign hosted several of their most influential customers at a Technical Advisory Council to discuss the state of security and the direction of future product offerings. On the international front, VeriSign participated in a keynote presentation at RSA Conference Europe on the topic of Internet Security and the importance of global industries sharing intelligence to better secure online transactions. Enjoy this last edition of 2006 and have a happy and safe holiday season.

    In This Issue:

    Hot Topics

    • F500 blogs more than double this year. The Fortune 500 has discovered the benefits of blogging—and VeriSign is no exception.
    • Third Annual TAC Helps Us Track Your Needs. We're always listening to our customers and prospects—especially during our technical advisory council (TAC). 
    • VeriSign ' s Keynote on Identity Security at RSA Conference Europe 2006. A thought-provoking presentation, titled 'Identity Security: Time to Share' focused on the issues related to identity theft, online fraud, and phishing.

    Monthly Threat Summary

    • Microsoft's security update for November addresses a number of critical vulnerabilities, most notably in Internet Explorer 6.0, XML, and the Workstation service. Security experts believe the flaw in Workstation to be significant, as it would allow an attacker to remotely download malicious code on a targeted computer. VeriSign urges all customers to download all applicable patches as soon as possible.

    News from VeriSign

    • VeriSign to Acquire inCode Wireless
    • WestCom and VeriSign Announce Strategic Alliance
    • U.S. Department of Education Turns to VeriSign for Meeting HSPD-12 Deadline

    Security Events

    • January 8-11, 2007, International CES, Las Vegas, NV
    • January 14-17, PTC '07, Honolulu, HI
    • February 5-9, RSA Conference , San Francisco, CA

    What is Rock Phish? And why is it important to know?

    It's been in the news recently with a substantial article by Robert McMillan of the IDG News Service. After we read his article in InfoWorld, we asked Ken Dunham, Director of VeriSign's Rapid Response Team, and this is what he told us

    Rock Phish is an individual or group of actors likely working out of Romania and nearby countries in the region. This group has been in operation since 2004 and is responsible for innovation in both spam and phishing attacks to date, such as pioneering image-spam. The group is named after URL characteristics, where strings such as "rock" or "r" may appear in a phishing URL. Multiple characteristics are utilized in associating phishing attacks with the Rock Phish Group.

    Preventing Malicious Code from "Phoning Home"

    Modern malicious codes often have the capability to send spam, act as a proxy, download and execute additional malicious codes and other functionality, all while acting as a node in a large, centrally managed botnet. These botnets require command channels to communicate to their owners, and these channels almost always use outbound connections from the bot to bypass firewalls that prevent incoming connections. The traditional approach of blocking all inbound connections except for specific hosts in a "demilitarized zone," combined with allowing only certain outbound access (such as that required for e-mail and Web access) is effective against many malicious codes, but still has its limitations. This presentation will discuss motivations, covert channel methods and ways to mitigate such traffic going forward.

    This interactive iDefense Webcast is held on 10 January 2007, at 2pm US Eastern Time, that is 7pm UK, 8pm European time. You will need an audio equipped computer to participate.

    Please join and ask questions. It's your presence that adds great value

    New specialist blogs

    We mentioned Michael Farnum briefly in the last issue. Michael is a Security Engineer for a security consultant / reseller. He lives in Houston, Texas, has been in IT since 1994 and in InfoSec since 2000. he has some pretty "direct" things to say about security.

    We've also started to publish the TechWorld blog. This includes compliance, privacy and security, and extends into wider fields such as Phisheries Protection, worms, scams and other areas

    See them and all our other bloggers through thre Compliance and Privacy Blogger Portal

    Quick Links...


    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.