|Compliance and Privacy News|
It's almost too much of a rush with compliance, privacy, and security to have time to say "Happy New Year"; there was no letup over the Christmas break. About the only thing that slowed down was pump and dump spam because exchanges were not open enough, but that slowing was only a few percentage points!
We're planning to be back to a newsletter every two weeks. There's so much news at present that a monthly newsletter is too long. Even this one is not short, so I'll keep the introduction brief!
Apart from two new blogs, though we mentioned Michael Farnum briefly in the last newsletter, we're looking at:
As usual we love getting your feedback. Feedback means we make sure we send the things you want to read. Either reply to me directly, or, even better, put your thoughts on one of the discussion groups. The link is at the foot of this newsletter.
Prompted by an article in The Hindu Businessline, Peter Andrews, editor of Compliance and Privacy recalls his own brush with attempted phone phishing and ID Fraud.
Andrews received a phone call a month or two before the UK Chip and PIN cut over date. He banks at First Direct, a bank set up to handle the phone first and foremost, and he was unaware that he was about to receive a new credit card, so he was not surprised that it did not arrive. And the First Direct phone system is pretty secure, with variable questions asked.
The call was simple. And it was in the form that the bank uses. The bank, when it calls, asks a couple of security questions, and these are usually the type with a "standard" answer, like "mother's maiden name". The "expected call centre voice" asked and was answered. There was no reason to suspect a thing at this point.
The rest of the call was both professional and also odd. Questions about supermarkets used were, at best, unusual. The killer question was "Please tell me a four digit number associated with your card?"
The McAfee Virtual Criminology Report 2006 marks the second annual McAfee report into organized crime and the Internet. The study, which used input from Europe's leading high-tech crime units and the FBI, suggests that crime gangs are targeting top students from leading academic institutions in order to provide them with the skills they need to commit high-tech crime on a mass scale.
The study reveals how Internet savvy teens as young as 14 are being attracted into cybercrime by the celebrity status of high-tech criminals and the promise of monetary gain without the risks associated with traditional crime. The report also shows how cybercriminals are moving away from bedrooms and into public places such as Internet cafes and wi-fi enabled coffee shops.
Other key findings from the McAfee Virtual Criminology Report 2006 include:
Digital Brand and Fraud Protection services help organizations detect, prioritize and rapidly respond to suspicious activities on Web sites, blogs, online user communities, and other sources that can damage brand equity and consumer confidence.
"Brand equity and reputation, which can be valued at billions of dollars for well known companies, can easily be compromised by online fraud, negative opinions, trademark infringement and improper logo usage," said Mike Denning, vice president and general manager, VeriSign Digital Brand Management Services. "For the first time, companies can protect revenue and their brands by rapidly responding to incidents in near real time. Our new Brand and Fraud Protection Services provide marketing, legal and IT professionals with actionable brand protection and management solutions to detect and counter any unauthorized or improper online activity that could damage their brand image and lead to lost revenues."
"Firms have to ensure that their brand integrity remains consistent both online and offline," writes Mike Rasmussen, vice president, Forrester Research. "Malicious attacks or internal negligence can lead to compromised customer privacy, inconsistent company communications, or inaccurately published information that ultimately harms the firm's overall brand and online presence."
With the proliferation of online fraud such as phishing and typo squatting, protecting brands online has become increasingly more important for enterprise companies. According to the Anti-Phishing Working Group (APWG), the number of distinct spoof Web sites rose 52 percent in October 2006 to a record-shattering of 37,444, up from 24,565 a month earlier.
The Federal Communications Commission in the USA was directed by Congress to form the Committee as part of the recently-passed Warning, Alert and Response Network (WARN) Act (Title VI of Public Law 109-347). The US committee will establish a national emergency alert system to warn the American public in case of a terrorist attack, natural disaster or other crisis. Over the next year, the Committee will develop and recommend technical standards and protocols to enable mobile service providers to transmit alerts to subscribers' mobile phones.
In this edition, learn about the 5 public blogs that VeriSign employees are using to facilitate communication and technology intelligence among customers, partners, and developers.VeriSign is responding to customer and industry needs every day and in November, VeriSign hosted several of their most influential customers at a Technical Advisory Council to discuss the state of security and the direction of future product offerings. On the international front, VeriSign participated in a keynote presentation at RSA Conference Europe on the topic of Internet Security and the importance of global industries sharing intelligence to better secure online transactions. Enjoy this last edition of 2006 and have a happy and safe holiday season.
In This Issue:
Monthly Threat Summary
News from VeriSign
It's been in the news recently with a substantial article by Robert McMillan of the IDG News Service. After we read his article in InfoWorld, we asked Ken Dunham, Director of VeriSign's Rapid Response Team, and this is what he told us
Rock Phish is an individual or group of actors likely working out of Romania and nearby countries in the region. This group has been in operation since 2004 and is responsible for innovation in both spam and phishing attacks to date, such as pioneering image-spam. The group is named after URL characteristics, where strings such as "rock" or "r" may appear in a phishing URL. Multiple characteristics are utilized in associating phishing attacks with the Rock Phish Group.
Modern malicious codes often have the capability to send spam, act as a proxy, download and execute additional malicious codes and other functionality, all while acting as a node in a large, centrally managed botnet. These botnets require command channels to communicate to their owners, and these channels almost always use outbound connections from the bot to bypass firewalls that prevent incoming connections. The traditional approach of blocking all inbound connections except for specific hosts in a "demilitarized zone," combined with allowing only certain outbound access (such as that required for e-mail and Web access) is effective against many malicious codes, but still has its limitations. This presentation will discuss motivations, covert channel methods and ways to mitigate such traffic going forward.
This interactive iDefense Webcast is held on 10 January 2007, at 2pm US Eastern Time, that is 7pm UK, 8pm European time. You will need an audio equipped computer to participate.
Please join and ask questions. It's your presence that adds great value
We mentioned Michael Farnum briefly in the last issue. Michael is a Security Engineer for a security consultant / reseller. He lives in Houston, Texas, has been in IT since 1994 and in InfoSec since 2000. he has some pretty "direct" things to say about security.
We've also started to publish the TechWorld blog. This includes compliance, privacy and security, and extends into wider fields such as Phisheries Protection, worms, scams and other areas
See them and all our other bloggers through thre Compliance and Privacy Blogger Portal
Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.