Compliance and Privacy
Compliance and Privacy News )
 
Essential Reading for Today's Business 7 February 2007


in this issue:
  • Motives, Methods and Mitigation of Insider Threats - Live WebCast
  • Swedish bank suffers huge phishing fraud
  • MySpace files suit against phamous phishing king
  • MiFID: IT contractors ride high on the waves of change
  • Majority of Brits using online banking
  • Consumers Want Better Online Banking Security
  • Microsoft to push new antiphishing technology
  • McAfee Adds Phishing Protection to Free SiteAdvisor Product
  • Phishing overtakes viruses and Trojans
  • Swift data privacy not under our jurisdiction - ECB
  •  

    Dear Visitor,

    News is moving so fast it's been hard to slim this newsletter down. We're highlighting about half the articles since the last newsletter. And most of them seem to be about Phishing.

    We've also enhanced the site. There's so much news on it that we've added a site search tool, powered by Google. We've has so many requests for it, and now it's there.

    I commend the first item to you. The iDefense WebCasts are excellent, and, being free, your return on investment is enormous. This one is about Insider Threats. Can you afford to be complacent?

    Otherwise the news has been about phishing and its effect on security. PayPal is taking steps to try to eliminate it with a token based system, Microsoft is "green barring" Internet Explorer, but no news of when FireFox will catch up. IE's market share is steadily being eroded, but this may bring it back up.

    Watch for our next newsletter nearer the end of February, and, if your colleagues want a copy, just let them know. All they have to do is to subscribe.


    Peter Andrews

    Motives, Methods and Mitigation of Insider Threats - Live WebCast

    Although security plans are usually designed to look outward to mitigate threats and attacks from the Internet, they often fail to address the more likely attack vector the malicious insider. This report examines the anatomy of the insider threat, what makes the malicious insider tick, how they often hit and what organizations can do to prevent damage or loss. A heavy focus upon the impact to financial and retail organizations is included in this research.

    Date: 7 February 2007
    Time: 2pm US Eastern Time, that is 7pm UK, 8pm European time
    Where: At a computer near you

    You need an audio equipped computer and, for participation, a microphone. Your participation makes these events special so RSVP and register today

    Swedish bank suffers huge phishing fraud

    'The Local’ has reported that Sweden's largest bank, Nordea, has suffered a huge Internet-based fraud. Over 8 million kronor (nearly £600,000) has disappeared in three months as a result of tailor-made Trojans launched by Russian criminals.

    This was sent in the name of the bank via a phishing email to the bank’s clients. The sender encouraged clients to download a spam fighting application. Users who downloaded the file which was to the e-mail were infected by the trojan haxdoor.ki. When the first attacks begun it was clear that the haxdoor version had been modified to target the bank.

    The Trojan activated itself when users tried to log in to their online banking account. The Trojan then saved the information and displayed an error message asking the client to enter further access information. The criminals then had two access codes in their possession, which is enough to transfer money. The Police has been able to establish the fact that log in information has been sent to servers in the USA and then to Russia. After that unknown criminals have logged in transferring large amounts from the bank.

    MySpace files suit against phamous phishing king

    Social networking site MySpace (part of Fox Interactive Media, Inc.) has filed a lawsuit against Scott “Spam King” Richter for violating the federal CAN-Spam Act (aka Controlling the Assault of Non-Solicited Pornography and Marketing Act) and California's anti-spam statute.

    Allegedly, Richter used phished MySpace account information to send email sales campaigns without the page owner's knowledge. The filing demands monetary compensation (amount not specified) and a permanent injunction barring Richter and his various companies from MySpace.

    If found guilty and there is not an out-of-court settlement, the CAN-Spam Act states that each violation is subject to fines of up to $11,000 and include imprisonment, while the California statute adds $1000 for “each unsolicited commercial e-mail advertisement transmitted” with a maximum of $1 million per incident.

    MiFID: IT contractors ride high on the waves of change

    Don't you just love change? What with the moving target of customer requirements, and that constant bleat of officialdom. Not for you? Well it should be, it drives up your rates, and no one has yet invented an IT system that didn't need fiddling with to keep it performing. Change is constant and good.

    If you could imagine a world without IT change, you'd imagine far fewer opportunities for freelance contractors. As a breed, they probably wouldn't exist. And so, just as the Sarbanes Oxley and Basel II parties are winding down, another invitation to hike up the rates and make a mint presents itself: MiFID.

    MiFID – rhymes with Triffid for those with a herbaceous bent – is the Markets in Financial Instruments Directive developed as part of the European Commission's Financial Services Action Plan. After eighteen months delay it is now expected to come into force by 1st November 2007.

    According to business law firm Norton Rose, "MiFID has been compared to an iceberg of Titanic-sinking proportions... There is an increasing realisation that MiFID will have a fundamental impact on many investment firms." And analyst Gartner adds that the technology impact of MiFID will be far reaching, "affecting enterprise architecture approaches, design and use of shared services, performance measurement and management, and governance."

    Majority of Brits using online banking

    More than two thirds of Britons used internet banking to conduct the majority of their banking in 2006, according to a recent survey. The study, conducted by Lloyds TSB, found that the figure compared with fewer than one in five during 2005.

    More than half of those questioned said they used online banking more often this year than they did last year, while 70 per cent of the over 50s cited the money management method as being their preference. The most popular reason given for banking online was the constant availability of the service, with the second most cited answer being the convenience of financial management regardless of the place.

    Consumers Want Better Online Banking Security

    Consumers are ready to start using stronger authentication technologies and want their banks and brokerage houses to monitor online transactions for suspicious activity.

    As trust among consumers for online banking continues to erode, users in the United States, Europe, Australia, and India are demanding stronger security for their online accounts, a poll published Thursday reported.

    According to survey results, majorities of nearly 1,700 consumers in eight countries said they were ready to start using stronger authentication technologies that went beyond the traditional user name/password, wanted their banks and brokerage houses to monitor online banking transactions for suspicious activity, and were familiar with the term "phishing."

    The fourth-annual online poll conducted by RSA, the security division of storage maker EMC, traced the ongoing slide in consumer trust: 82% of account holders said that they are less likely to respond to e-mail from their bank because of phishing scams. The results in 2005 and 2004 were 79% and 70%, respectively.

    Microsoft to push new antiphishing technology

    Microsoft Corp. and industry partners are pushing ahead with plans to make the Web a little safer with a new technology to combat phishing.

    At next month's RSA Conference in San Francisco, the software giant plans to announce that a number of Web sites have gone through a new certification process designed to make it harder for phishers to spoof them. The process gives third-party certification authorities like VeriSign Inc. and Entrust Inc. a more stringent set of guidelines to follow when they are authenticating Web sites.

    The result of the process is something called an Extended Validation Secure Sockets Layer (EV SSL) certificate, which can be used by Web sites to help reassure Web surfers that they are handing over their private information to a legitimate site.

    Microsoft is ahead of other browser-makers in supporting EV SSL certificates, which will work with Internet Explorer 7 by the end of this month. But for the technology to take off, it must also be widely adopted by Web sites.

    McAfee Adds Phishing Protection to Free SiteAdvisor Product

    McAfee, Inc has announced that McAfee(R) SiteAdvisor(TM), the world's first safe search and browse technology, now provides anti-phishing protection. Beginning immediately, consumers who download the free SiteAdvisor software will get advanced, real-time "phishing" detection that combines white lists, black lists and heuristics to provide early warnings against scam sites that can compromise consumers' identities. Current SiteAdvisor users will get this new feature automatically.

    McAfee, Inc. (NYSE:MFE) today announced that McAfee(R) SiteAdvisor(TM), the world's first safe search and browse technology, now provides anti-phishing protection. Beginning immediately, consumers who download the free SiteAdvisor software will get advanced, real-time "phishing" detection that combines white lists, black lists and heuristics to provide early warnings against scam sites that can compromise consumers' identities. Current SiteAdvisor users will get this new feature automatically.

    "Anti-phishing is a strong addition to SiteAdvisor's existing protections against adware, spyware, browser attacks, spam and other scams," said Mark Maxwell, Senior Product Manager, McAfee. "Anti-phishing protection gives McAfee SiteAdvisor users up-to-the minute protection against fraudulent spoof sites which is critical given the transient nature of most phishing attacks."

    Phishing overtakes viruses and Trojans

    Phishing attacks have outstripped the number of emails infected with viruses and Trojans for the first time, according to security experts.

    Security mail services vendor MessageLabs reported on Monday that in January 2007, one in 93.3 (1.07 percent) emails comprised some form of phishing attack. There were fewer emails infected with viruses — one in 119.9 emails, or 0.83 percent.

    The difference in the ratio of phishing to virus attacks is partly due to virus attacks becoming more targeted and no longer occurring as one large outbreak. This includes the recent Storm Worm and Warezov attacks, according to MessageLabs.

    "If you look at infected email traffic for January, it's very spiky," said Mark Sunner, chief technology officer at MessageLabs. "With Storm Worm there are clear spikes, then drops down to normal levels. It's as though someone is turning on the tap briefly, then letting it abate," Sunner told ZDNet UK.

    Swift data privacy not under our jurisdiction - ECB

    The European Central Bank (ECB) would like to note that central banks are responsible for fostering financial stability and promoting the smooth operation of payment and settlement systems.

    As SWIFT is a messaging provider and not a payment system, central bank oversight of SWIFT (performed by the G101 central banks and the ECB) focuses on its technical security, operational reliability, resilience, appropriate governance arrangements, and its having in place risk management procedures and controls. The monitoring of SWIFT activities that do not affect financial stability is not a matter for central bank oversight and therefore the US Treasury sub-poenas of SWIFT were outside the purview of central bank oversight. The Oversight Group has no authority to oversee SWIFT with regard to compliance with data protection laws. The request by the European Data Protection Supervisor to bring data protection compliance within the remit of central bank oversight would not be in line with the allocation of legal responsibilities.

    Quick Links...

     

    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.