Compliance and Privacy News

Mobile and Remote Working - Is it secure?

Tue, 18 Mar 2008 14:58:01 GMT

Unstoppable move towards remote and mobile working
Mobile working is not adequately secured.
Organisations are concerned about security for mobile and remote workers and how to enforce company security policies outside the gateway.
Companies want to protect against data leakage and data loss from such problems as stolen laptops.
There is no one solution to securing remote working.
The range of solutions includes strong authentication, end point security, remote unified threat management (UTM) systems, low-cost encryption and VPNs.

Olubi Adejobi and Robert Bentley, bothh Solicitors, fined for Data Protection Offences

Fri, 22 Feb 2008 13:45:05 GMT

GrierOlubi and Bentleys - Individual solicitiors convicted for data protection offences

The Information Commissioner’s Office (ICO) has today successfully prosecuted two London solicitors for offences under the Data Protection Act. Olubi Adejobi of Grier Olubi Solicitors and Robert Bentley of Bentley’s Solicitors, both based in London, were each fined £300 and ordered to pay costs of £500 plus a victims’ surcharge of £15 at Stratford Magistrates’ Court. Each solicitor must pay a total of £815 in fines and costs.

Today’s prosecution follows the failure of both Mr Adejobi and Mr Bentley to notify as data controllers despite repeated reminders from the ICO of their obligations under the Data Protection Act.

Under the Act, organisations that process individuals’ personal information may be required to notify with the Information Commissioner at a nominal cost of £35 per year. Despite being told to notify, both Mr Adejobi and Mr Bentley have failed to respond to any of the ICO’s correspondence and have still not notified.

ADC Organisation Prosecuted by UK Information Commissioner for Data Protection law breaches

Fri, 22 Feb 2008 13:32:32 GMT

ADC Organisation prosecuted for data protection offences

ICO prosecutes debt company for breaching marketing rules

A Manchester debt recovery company has been successfully prosecuted by the Information Commissioner’s Office (ICO) for bombarding individuals and businesses with unwanted faxes. The action follows thousands of complaints from individuals and businesses to the ICO and the Fax Preference Service (FPS).

ADC Organisation Ltd (ADC) pleaded guilty to six charges under the Privacy and Electronic Communications Regulations and has been fined £600 (£100 per charge). The organisation was also ordered to pay £1,926.25 in costs. ADC must pay a total of £2,526.25 in fines and costs.

UK Information Commissionr takes enforcement action against Marks & Spencer

Fri, 25 Jan 2008 12:40:19 GMT

M&S ordered to encrypt all hard drives by April 2008

The Information Commissioner's Office (ICO) has found Marks & Spencer (M&S) in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 26,000 M&S employees.

An ICO investigation revealed that the laptop, which contained details of the pension arrangements of M&S employees, was stolen from the home of an M&S contractor. In light of the nature of the information contained on the laptop, it is the ICO's view that M&S should have had appropriate encryption measures in place to keep the data secure.

Mick Gorrill, Assistant Commissioner at the ICO, said: "It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption. The ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act.

Bereaved man sickened by marketing 'breach'

Fri, 25 Jan 2008 11:58:08 GMT

A consultant in data privacy has slammed a crematorium for its "tasteless" posting of marketing material, claiming that it broke the law.

Tim Trent, 55, cremated his mum Connie at North East Surrey Crematorium last November and thought that would be the end of the matter.

But three days later, he was stunned to find a glossy brochure on his doormat, advertising memorials, plaques, flowers and other services offered by the crematorium.

Mr Trent said: "It hit me in the face like a sledgehammer. We had a really good send-off for my mother, and thought that chapter of our life was closed. I didn't expect this at all, so it was gloriously distasteful."

European Data Protection Supervisor condemns data protection legislation

Wed, 16 Jan 2008 12:16:54 GMT

The European Data Protection Supervisor (EDPS) has condemned the inability of existing legislation to protect citizens against practices and proposals that amount to the creation of a state-sponsored surveillance society.

EDPS Peter Hustin called on the European Parliament to pass primary legislation to define and protect personal data. He also asked for specific laws to protect such data from abuse under new data collection and exchange proposals from law enforcement agencies.

He said agencies that collect, process and store the data should provide information that would allow individuals to modify their behaviour to avoid being "profiled" and to obtain redress for errors and abuses.

The recommendations were part of three opinions that the EDPS issued in December. The opinions are his response to practices and proposals related to the fight against terrorism and organised crime. Many of them have arisen since 9/11.

FBI eyes British identity data

Wed, 16 Jan 2008 12:14:12 GMT

The US Federal Bureau of Investigation is seeking British co-operation in setting up an internationally accessible biometric database of known and suspected criminals and terrorists.

Dam Data Leakage at Source - a Wick Hill view

Fri, 09 Nov 2007 08:12:40 GMT

Computer networks have become increasingly open and accessible by more and more users. Huge growth in the use of mobile, wireless and remote computing
These changes in computer networks have left confidential data at risk of being seen by those unauthorised to view it.
Those wanting to view data without permission include employees and those outside an organisation. The motive may be non-malicious, or malicious, or criminal.
Laptops are particularly vulnerable to data loss or theft, with laptop losses reported ever more frequently.
Losing data damages a company's reputation, puts them in breach of the Data Protection Act and may by very costly, including the possibility of being fined.
If sensitive information, such as financial details, is lost, it may leave customers or staff exposed to identify theft.
Currently, the protection of data is mainly inadequate. Because of the rapidly changing structure of computer networks, companies should review the way they protect the security of data.
The highest risk areas for losing data are through email, through remote access and through laptop use.
Encryption is the best way to secure data. It is now both easy-to-use and low cost.
Encryption technology is now moving towards Unified Encryption Management (UEM), which means that encryption is centrally managed throughout an organisation, including for office based systems, mobile and remote access.

UK Information Commissioner does not regulate BlueSpam after all!

Fri, 12 Oct 2007 17:25:22 GMT

Following discussions with the Department of Business, Enterprise and Regulatory Reform and others the Information Commissioner’s Office has amended its guidance on the Privacy and Electronic Communications Regulations 2003. The guidance previously stated that marketing messages sent using Bluetooth technology would be subject to PECR rules relating to the sending of unsolicited marketing.

IPv6 - Risks & Ramifications of a Potential Disruptor - Book your Webcast place

Thu, 11 Oct 2007 11:31:13 GMT

While the various modifications and improvements to IPv4 have served the Internet well, these stop gaps can only go so far. Fortunately, IPv6 is finally maturing and provides some much needed functionality that will undoubtedly facilitate growth and innovation. Now that more products include IPv6 functionality, the technology is slowly becoming a reality. While this is a slow process, it will be moved along with the US Government's mandate that organizations implement IPv6 by 2008; the mandate even includes organizations that do not have external factors forcing an upgrade.

While delaying deployment may lead to missed opportunities, completely disregarding the technology can have serious security ramifications. Most networks are partially IPv6-capable whether or not network managers are aware of it, and IPv4 networks left unprepared are vulnerable to attackers. So, for those considering upgrading to IPv6, there are a number of issues to consider before taking the plunge. Organizations must remember that platform upgrades of this scale will cause disruptions. In addition, an upgrade could cause confusion, resulting in security holes that attackers will certainly try to exploit. These are just some of the issues network managers and implementation specialists must consider, which makes it imperative they have a solid understanding of this new protocol. From a strategic standpoint, IPv6 facilitates a paradigm shift toward increasingly distributed, end-to-end communications, changing the threat landscape and requiring similarly distributed security. This report provides an overview of IPv6 and discusses the risks associated with its implementation.

Predicting Disruptive Technologies over the next 5 years - Webcast replay

Thu, 11 Oct 2007 11:30:00 GMT

Disruptors, understood as radical shifts in technological or behavioral trend-line trajectories, are considered "disruptive" largely because they are unforeseeable or else, if somewhat foreseeable, cannot be modeled precisely enough to facilitate control over the process. With this in mind this report analyses numerous and varied potential disruptors, some of which may never come to fruition. Thus, each section explicitly acknowledges the level of confidence with which analysts estimate each disruptor's potential impact; some will be almost sure to occur, others less likely and still others of uncertain likelihood. In this way, decision makers can allocate resources according not only to the potential impact, but also considering the likelihood of its occurrence.

Uncovering Online Fraud Rings: The Russian Business Network - Webcast Replay

Thu, 11 Oct 2007 11:28:51 GMT

The Russian Business Network (RBN) developed into its current incarnation as "the baddest of the bad" Internet service provider (ISP) in June 2006. Before then, much of the malicious code currently hosted on RBN servers was located on the IP block of another St. Petersburg ISP, the now-defunct ValueDot. Like ValueDot before it, but unlike many ISPs that host predominately legitimate items, RBN is entirely illegal. VeriSign iDefense research identified phishing, malicious code, botnet command-and-control (C&C), and denial of service (DoS) attacks on every single server owned and operated by RBN.

Motives, Methods and Mitigation of Insider Threats - Webcast Replay

Thu, 11 Oct 2007 11:28:09 GMT

Although security plans are usually designed to look outward to mitigate threats and attacks from the Internet, they often fail to address the more likely attack vector - the malicious insider. This report examines the anatomy of the insider threat - what makes the malicious insider tick, how they often hit and what organizations can do to prevent damage or loss. A heavy focus upon the impact to financial and retail organizations is included in this research.

Flash mobs - the next online threat

Fri, 05 Oct 2007 09:01:34 GMT

Estonia has one of the most technologically advanced populations in Europe. Events in the last few months, though, have perhaps given the rest of Europe a taste of what might be the next real threat on the internet, flash mobbing.

Flash mobbing is where a group of people meet online to coordinate attacks on an organisation either by their physical presence (such as everyone turning up at one furniture shop) or online. Common attacks include sending emails to the same website at the same time or using the website for mass queries with the aim of taking the server down.

Flash mobbing has been headline news in Estonia as its government uses technology extensively, for example allowing widespread use of e-voting in the last elections. The government's servers were attacked in the summer by a flash mob thought to have had connections with neighbouring Russia.

Thales's Mobile VPN Solution Secures the Use of Public Wireless Networks

Thu, 04 Oct 2007 09:40:37 GMT

Thales, a leading supplier of IT security products and solutions for all critical infrastructures , today (4 October 2007) announced a new version of its SafeMove Mobile VPN solution incorporating an innovative Hotspot Login Assistant. The enhancement makes untrusted public networks easier and much safer for users who require remote access to corporate networks. The Hotspot Login Assistant feature makes Thales's SafeMove the leading remote access solution, truly addressing all security dimensions, including critical human factor issues.

According to the latest figures from the Office of National Statistics, the number of people in the UK who work mainly from home doubled between 1997 and 2005 to 2.4 million workers. Supporting the desire for increasing levels of flexibility, the number of workers using multiple locations experienced the strongest growth, accounting for 6 per cent of all workers in 2005. These statistics reflect a worldwide trend that supports the need for advanced security solutions, such as SafeMove, to safeguard the information of companies and individuals wishing to access private data and applications from a variety of locations.

Full archive of Privacy Laws and Business UK Newsletters

Wed, 03 Oct 2007 14:14:18 GMT

By kind permission of Privacy Laws and Business, ComplianceAndPrivacy.com is able to bring you the United Kingdom Newsletter Archive, up to the end of June 2007. New items will be announced individually

Full archive of Privacy Laws and Business International Newsletters

Wed, 03 Oct 2007 14:13:58 GMT

By kind permission of Privacy Laws and Business, ComplianceAndPrivacy.com is able to bring you the International Newsletter Archive, up to the end of June 2007. New items will be announced individually

PL&B International E-news, Issue 57

Wed, 03 Oct 2007 14:11:31 GMT

The Art. 29 Data Protection Working Party discusses SWIFT, search engines' retention policies and the definition of "personal data"
Argentina appoints a new Data Protection Commissioner

PL&B UK E-news, Issue 60

Wed, 03 Oct 2007 14:10:12 GMT

Orange and Littlewoods found in breach of DP Act
The ICO is getting tougher. The Information Commissioner, Richard Thomas will be launched his consultation on his "New strategy and new priorities for Data Protection and Freedom of Informationâ" at the PL&B Cambridge Conference on Monday, 2nd July
ICO publishes guidance on bankruptcy

Thales SafeSign packages revolutionise delivery of identity management and authentication pilot schemes

Mon, 01 Oct 2007 11:20:00 GMT

Thales offers its award-winning end-to-end strong authentication solution, SafeSign, in a range of pilot packages for enhanced ease of installation and configuration

Thales today (1 October 2007) announces that it is launching individually packaged pilot versions of its market-leading identity management and authentication solution, SafeSign. This innovation enables enterprises such as banks and government agencies to assess the value of a solution against their specific business needs in a faster and more cost-effective manner. By using a SafeSign pilot package, organisations can have the solution operational in under 20 minutes, revolutionising the pilot phase and saving valuable project time.

As technology continues to evolve at an exponential rate, banks and enterprises face a huge investment of time, money and resource to pilot hardware and software projects to remain competitive. Thales 's innovative offering enables organisations to easily implement a tailored strong authentication package that they can integrate with internal applications and run a proof-of-concept programme before committing to full-scale deployment.

Compliance and Privacy Feed now to your WAP phone

Sun, 16 Sep 2007 22:29:20 GMT

We've started to experiment with WAP technology as a service to our readers. So we're working with the service from Feedm8 to see if this is beneficial

will get the service to your mobile.

UK Information Commissioner serves enforcement notice on Fax marketers

Wed, 12 Sep 2007 10:52:35 GMT

The Information Commissioner’s Office (ICO) has ordered two debt recovery companies to stop sending unwanted faxes to individuals and businesses. This action has been brought under the Privacy and Electronic Communication Regulations (PECR) following hundreds of complaints from individuals and businesses to the ICO and the Fax Preference Service.

Failure to comply with the Enforcement Notices is a criminal offence and is likely to result in the ICO taking further action against Clear Debt Solutions Ltd and ADC Organisation Ltd.

Dechert: Bluespam - Is It Legal?

Wed, 29 Aug 2007 17:22:37 GMT

"Bluespam: Is it legal?" examines whether so called bluespam falls within the restrictions imposed by the Privacy and Electronic Communications Directive and whether organisations can therefore be prevented from marketing via bluetooth without first obtaining consent. It also considers the practicality of obtaining consent from bluetooth users and discusses the options for Bluetooth users who do not wish to receive bluespam.

Off Network Security; A Crisis at Hand - Ponemon Institute and Redemtech

Wed, 22 Aug 2007 14:48:19 GMT

Ponemon Institute Examines Security Risk Posed by Off-Network, Data-Bearing Equipment

Study Finds Vast Majority of Data Breaches Involve Unprotected Confidential Information on Off-Network Devices

On August 7, financial services firm Merrill Lynch reported the theft of a laptop computer from its New Jersey corporate office – a computer containing sensitive personal and financial information, including Social Security numbers, for 33,000 of its employees. Such breaches of confidential information have become routine news for one simple reason: though sparing no expense to guard the security of their networks, corporations often fail to protect data on devices that are disconnected from the network.

According to a new study by the Ponemon Institute, 73 percent of corporations experienced the loss or theft of a data-bearing asset in the last 24 months, yet those same organizations report limited efforts to manage this vulnerability. The new Ponemon report, National Survey: The Insecurity of Off-Network Security, will be discussed in detail today [22 August 2007] by study author Dr. Larry Ponemon, founder and chairman, Ponemon Institute, and study sponsor, Robert Houghton, president, Redemtech, during the Privacy Symposium at Harvard University .

Romanian Scammers hit TradeMe Milestone

Tue, 21 Aug 2007 08:30:59 GMT

The criminal group responsible for numerous phishing scams on TradeMe hit a milestone on Saturday August 18th, 2007. Internet watchdog group ScamBusters reports that the number of hijacked TradeMe accounts used by a Romanian gang to place fraudulent listings on the site in the past eighteen months has now reached a total of one thousand.

"That's a lot of compromised accounts" says spokesman Alf West. "And they're only the ones that we've recorded. These criminals have many more accounts waiting in the wings, ready to use."

ScamBuster Peter Andersen has been collating the hijacked accounts and auctions. "The thousand TradeMe user accounts identified as being hacked in the past eighteen months have been used to run 3,391 fraudulent auctions" he says, "all for non-existent items."

The scammers post auctions for high value items like laptops, cellphones and even expensive motor vehicles, and they inevitably include an email address. "We need to make the point that these people are not running auctions at all" says Andersen. "They're using TradeMe to gain email contact with potential victims." He claims that while TradeMe eventually remove the fraudulent listings, the scammer's email address is visible for up to 24 hours at a time.

MiFID - Outsourcing continues to be an issue

Fri, 17 Aug 2007 10:29:43 GMT

A recent survey by City law firm Field Fisher Waterhouse has indicated that a significant percentage of outsourcing agreements signed by MiFID-impacted firms still fail to comply with the basic requirements of the directive. Whereas other regulations such as Basel II and Sarbox impact outsourcing by extrapolation of their rulings, MiFID is different in that is specifically refers to outsourcing and makes demands on outsourcing contracts, requires actions of supervisors and differentiates according to where the outsourcing service is located.

The overall impact will be to require substantial re-writing of existing outsourcing contracts and potentially brings the outsourcing vendors into the supervision of national regulators. This was recognised by the UK’s Financial Services Authority who released specific guidance in May, see Chase Cooper News of 17th May.

Wi-Fi SideJacking opens eyes at BlackHat

Wed, 15 Aug 2007 16:34:29 GMT

During a recent presentation at BlackHat, Errata Security raised a few eyebrows by showing a pair of point-and-click "SideJacking" tools dubbed Ferret and Hamster. The approach taken by Hamster—web session cookie cloning—is not particularly new.

However, by exploiting live BlackHat user traffic to gain access to attendees' GMail accounts, presenter Robert Graham made the threat posed by SideJacking perfectly clear:

The next time you use an open Wi-Fi hotspot to access a vulnerable website, you may not be alone.

SideJacking is the process of sniffing web cookies, then replaying them to clone another user's web session. Using a cloned web session, the jacker can exploit the victim's previously-established site access to change passwords, post mail messages, download files, or take any other action offered by that website.

Unlike some better-known HTTP attacks, SideJacking isn't about stealing logins or disruptively taking over the victim's session. It's about transparently sharing authorized site access with a legitimate user, after that user has already logged in.

Website rules for AIM companies

Wed, 15 Aug 2007 12:55:29 GMT

All companies listed on the AIM market have until 20 August 2007 to comply with regulations requiring detailed information to be included on their website. AIM is the London Stock Exchange's market for smaller growing companies.

According to a recent survey carried out by Investis, only six of the top 100 AIM companies' websites currently achieve full compliance with these regulations. The Investis research reveals that less than one-third of the companies surveyed achieved a compliance score of over 50%, with one company not even having a website. More information on the survey can be found at the Investis website.

The specific regulation is Rule 26 of the London Stock Exchange AIM Rules for Companies, issued in February 2007. A copy of these rules is available via the London Stock Exchange website.

MiFiD: 50% say regulators slipping on guidance

Wed, 01 Aug 2007 10:17:03 GMT

With less than 100 days before the 1 November deadline many financial services firms are unhappy with the support they are receiving from their national regulators as they prepare for the Markets in Financial Instruments Directive, found a survey by SunGard and TradeTech. Half the 300 respondents stated that their national regulators were either “bad” (32%) or “very bad” (19%) in helping them to get ready for the directive.

In the UK, respondents were divided on whether the Financial Services Authority’s minimal guidance, principles-based approach to MiFID was a good one – only 54% believed that this is “the best approach to prevent regulatory overload”, with the remaining respondents stating that this approach “makes it difficult to understand exactly what requirements the FSA desires, adding to the compliance task”.

The survey showed an overall increase in MiFID readiness – 53% of respondents now believe their preparations for the directive are “ahead” or “right-on-track”, compared with just 34% in September 2006. However, opinions are still divided on whether MiFID will have a positive impact. The majority (54%) of institutions surveyed state that they see MiFID as just “another piece of compliance”. In addition, only 42% of respondents believe that MiFID will be good for Europe’s economy in the next 5 – 10 years, with over a third still undecided.

The Coalition Against Domain Name Abuse to Combat Cybersquatting

Fri, 27 Jul 2007 14:28:29 GMT

The Coalition Against Domain Name Abuse (CADNA) is announcing the launch of its national campaign against Internet fraud. A non-profit organization based in Washington D.C., CADNA is leading the way in confronting cybersquatting – the fraudulent abuse of domain name registration that threatens the future viability of Internet commerce.

Although the Anti-Cybersquatting Consumer Protection Act (ACPA) was introduced in 1999, cybersquatting remains an underestimated threat. The number of .com domain names alone has doubled since 2003, and the number of cybersquatting disputes being filed with the World Intellectual Property Organization (WIPO) is on the rise – up 25% in 2006 from 2005. According to a recent independent report, cybersquatting increased by 248% in the past year.

With growing ease and profitability, sophisticated cybersquatters are exploiting a flaw in the domain name registration process whereby domain names are registered and subsequently dropped, risk free, within an accepted 5-day grace period. By abusing this grace period, cybersquatters “taste” and “kite” domain names in order to test their profitability. According to a recent industry report, there are over 1 million kited sites re-registered daily, collectively bringing in $100-125 million in annual revenue for criminals and profiteers. On the whole, cybersquatting is costing brand owners worldwide well over $1 billion every year as a result of diverted sales, the loss of hard-earned trust and goodwill, and the increasing enforcement expense of protecting consumers from Internet-based fraud.

Cybersquatters' increasing assault on intellectual property hurts everyone involved, including consumers and the Internet community at large. By registering domain names derived from famous brands, cybersquatters are able to successfully lure consumers into purchasing counterfeit products (including potentially harmful counterfeit prescription drugs), giving away their personal information (which could lead to further financial loss) and unwittingly exposing themselves to spyware deposits. According to the International AntiCounterfeiting Coalition (IACC), $600 billion was spent online for counterfeits in 2006. Phishing, a fraud enabled by cybersquatting, is also growing at an alarming rate. The Internet Crime Complaint Center, a partnership of the National White Collar Crime Center and the Federal Bureau of Investigation, found that consumers in the U.S. reported personal losses of $198.44 million to phishing in 2006.

Newcastle City Council accidentally releases credit card details to accessible system

Fri, 27 Jul 2007 14:15:17 GMT

Newcastle City Council has said it accidentally put 54,000 credit- and debit-card details on a computer system that could be accessed externally.

The council has today admitted it inappropriately released up to 54,000 credit- and debit-card details covering transactions between February 2006 and April 2007, covering payments to the council including council tax, business rates, parking fines, and rent payments.

Monster Worldwide Hardens Its Web Security with Cyveillance

Wed, 25 Jul 2007 10:27:36 GMT

Cyveillance , a global leader in cyber intelligence, today announced that Monster ® , the leading global online career and recruitment resource and flagship brand of Monster Worldwide, Inc. (NASDAQ:MNST), has selected Cyveillance to help further protect its customers from potential online fraud. Under the agreement, Cyveillance will also provide Monster with brand identity protection in addition to user privacy and anti-phishing services.

"Enhancing Monster' s defenses against phishing and other online fraud is a top priority," said Patrick W. Manzo, vice president, Compliance and Fraud Prevention, Monster North America. "Cyveillance ' s proactive cyber intelligence will help Monster provide our customers with an even safer environment to conduct their online career development and recruiting activities."

Reg NMS and MiFid...Together Forever?

Wed, 25 Jul 2007 07:03:43 GMT

Is there a possibility that MiFid and Reg NMS could one day be accepted by regulators on both sides of the Atlantic as being equivalent?

While financial services firms in the U.S. have been gearing up this year for the full implementation of Reg NMS, companies in Europe have been preparing for MiFid. (Well, actually only 8 of the 27 EU member states have so far implemented the legislation into their domestic law.)

Now, the head of the Centre for European Policy Studies (CEPS) is urging the European Commission to look into the similarities and differences between MiFid and Reg NMS.

Karel Lannoo, chief executive of CEPS, says both pieces of legislation came into effect at around the same time, and both are aimed at "updating regulation to reflect technological changes and market developments."

More investment managers using web for reports

Wed, 25 Jul 2007 06:59:16 GMT

Investment managers are increasingly delivering client reports online, according to research by Rhyme Systems, an asset management services company.

A survey of managers at a Rhyme Systems workshop shows there is a growing trend towards web delivery and a need for greater reporting flexibility to accommodate changing client needs.

The research also suggests all client reports might need to be bespoke but raises questions about how to charge the cost to the customer. However, most firms surveyed do not measure the cost of producing individual client reports.

There is also a trend towards integrating client reports across a business rather than using a separate service.

Security Advancements in Microsoft Windows Vista and IE7 - iDefense on demand webcast replay

Tue, 17 Jul 2007 14:07:01 GMT

Microsoft Corp. released beta versions of its new Windows Vista operating system and version 7.0 of its Internet Explorer Web browser in 2005. However, the new products have yet to be released commercially. This presentation will focus on the new security features planned for these two new products, explaining how these features will benefit the overall security of the Windows platform and potential problems they may introduce. Emphasis will be placed on how vulnerabilities in earlier versions of Windows led Microsoft to implement these features and change the way the company approaches software security.

Uncovering Online Fraud Rings: The Russian Business Network - iDefense Webcast

Tue, 17 Jul 2007 14:01:10 GMT

The Russian Business Network (RBN) developed into its current incarnation as "the baddest of the bad" Internet service provider (ISP) in June 2006. Before then, much of the malicious code currently hosted on RBN servers was located on the IP block of another St. Petersburg ISP, the now-defunct ValueDot. Like ValueDot before it, but unlike many ISPs that host predominately legitimate items, RBN is entirely illegal. VeriSign iDefense research identified phishing, malicious code, botnet command-and-control (C&C), denial of service (DoS) attacks and child pornography on every single server owned and operated by RBN.

Predicting Disruptive Technologies over the next 5 years - iDefense Webcast

Tue, 17 Jul 2007 14:01:03 GMT

Italy Arrests 26 for Phishing

Tue, 17 Jul 2007 13:11:33 GMT

Italian authorities are bringing charges in a scam involving fraudulent e-mail to bank customers.

Italy has become the latest country to clamp down on phishing, with authorities there arresting 26 people for an alleged scam to swindle bank customers.

According to a statement by one of those arrested, the scam involved sending fraudulent e-mails that appeared to come from Poste Italiane, the country's postal operator, which also offers bank accounts, insurance and loans, according to a news release (in Italian) from the Guardia di Finanza, which handles financial crimes.

The e-mails urged victims to hand over sensitive financial information, which was then used to draw money from their accounts, the finance authority said. Eighteen of those arrested are Italian citizens, with the remainder from Eastern European countries.

SSL certificates gone wild

Tue, 17 Jul 2007 12:37:47 GMT

By using so-called "Wildcard" certs, you can save a few headaches and a pile of money. Experts discuss the implications for virtualization as well as the potential risks

"Where Wildcard certs have value is for anyone who is hosting multiple servers or server instances on one platform," said Quin. "Why this is becoming valuable at this point in time is because of the growing popularity of virtualization – as I virtualize I put more instances on one physical device and therefore I can now validate the trust of all of those instances with a single certificate."

But SSL is not about providing security; rather, it's about validating trust. While it creates a secure channel of communications between the user and end-point server, it has nothing to do with security on the server itself.

CEOs urged to raise their game following unacceptable privacy breaches

Fri, 13 Jul 2007 08:30:07 GMT

The UK Information Commissioner is calling on UK chief executives to take the security of employees’ and customers’ personal information more seriously. His call follows a number of unacceptable security breaches over the last year, involving leading names such as Orange and several high street banks.

Speaking at the launch of his annual report in London, Richard Thomas, the Information Commissioner, said: ‘Over the last year we have seen far too many careless and inexcusable breaches of people’s personal information. The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying.

‘How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags?’

The Information Commissioner added: ‘Business and public sector leaders must take their data protection obligations more seriously. The majority of organisations process personal information appropriately – but privacy must be given more priority in every UK boardroom. Organisations that fail to process personal information in line with the Principles of the Data Protection Act not only risk enforcement action by the ICO, they also risk losing the trust of their customers.’