VeriSign Security Review - December 2006
In this edition, learn about the 5 public blogs that VeriSign employees are using to facilitate communication and technology intelligence among customers, partners, and developers.VeriSign is responding to customer and industry needs every day and in November, VeriSign hosted several of their most influential customers at a Technical Advisory Council to discuss the state of security and the direction of future product offerings. On the international front, VeriSign participated in a keynote presentation at RSA Conference Europe on the topic of Internet Security and the importance of global industries sharing intelligence to better secure online transactions. Enjoy this last edition of 2006 and have a happy and safe holiday season.
In This Issue:
Monthly Threat Summary
- Microsoft's security update for November addresses a number of critical vulnerabilities, most notably in Internet Explorer 6.0, XML, and the Workstation service. Security experts believe the flaw in Workstation to be significant, as it would allow an attacker to remotely download malicious code on a targeted computer. VeriSign urges all customers to download all applicable patches as soon as possible.
News from VeriSign
- VeriSign to Acquire inCode Wireless
- WestCom and VeriSign Announce Strategic Alliance
- U.S. Department of Education Turns to VeriSign for Meeting HSPD-12 Deadline
- January 8-11, 2007, International CES, Las Vegas, NV
- January 14-17, PTC '07, Honolulu, HI
- February 5-9, RSA Conference , San Francisco, CA
F500 blogs more than double this year
Technorati's latest “State of the Blogosphere” report showed that of the total 57 million blogs that it is tracking, nearly 3 million were launched from July through September—an average of 100,000 new sites every day. Although traditional media sites continue to dominate the top 100 Web sites, blogs have mostly taken over the rest of the top 500 list. Corporations are realizing that blogging offers a viable, focused, and cost-efficient channel for corporate messaging. As of October 2006, 40 (or 8%) of the Fortune 500 companies were blogging, more than double the number in January 2006.
VeriSign is among the frontrunners with five public blogs, featuring thought leaders in the field of IT and engineering. Phillip Hallam-Baker, who has his own blog here and on the VeriSign site, explains that blogs are an ideal channel for a certain type of technical information. “When you discover, for example, a loophole in a cryptography function, the last thing you want to do is create a press release to draw attention to it,” he explains. “Responding to those issues in a blog enables us to put out the information in a form that customers, prospects, and salespeople can access, without drawing unwelcome attention to the matter.”
Hallam-Baker sees blogs as a good way to communicate other types of information as well. “They're useful when we have a position or a stake in an issue, but don't have an immediate product or follow-through announcement. They're also a more efficient way of delivering conference presentation materials, without the time and expense of travel.” Like newsletters, blogs can add value for customers by updating them on the latest developments in standards and protocols, or decoding some new marketing term.
In his VeriSign blog, Hallam-Baker promotes a different way of looking at security, based on accountability. “Traditionally, organizations had only a few assets to protect. Now, they have many more, but no single asset is worth much,” he says. “It no longer makes sense to prioritize asset protection, but to focus on authentication. I want to get readers thinking about stronger authentication, by building the case for accountability.”
As for Hallam-Baker himself, his Web reading focuses on technical blogs and current affairs. “Technical blogs keep me up to date on what's going on in the field of security,” he explains. “Current events blogs help me anticipate and understand the pressures and opportunities that could impact the business environment. Both types of blogs help me stay on top of the latest developments, so I don't get blindsided.”
Back to Top
Third Annual TAC Helps Us Track Customers' Needs
At VeriSign, we believe the best leaders are often the best listeners. We're always listening to our customers and prospects, and once a year, we host an annual technical advisory council (TAC). This year, our third TAC took place in November with 16 of our most influential customers from some of the world's top technology, security, financial, and retail companies.
In a series of intense, highly interactive working sessions, we probed for more information about their evolving needs. We told them our plans and our ideas, and they helped us set the direction for current and future security products and services. By the time the sessions concluded, we had validation for our short-term product roadmap, a wish list for longer-term enterprise security solutions, and some great ideas for new product offerings and partnerships.
Now we're eagerly planning to leverage what we've learned. Last year's TAC was the inspiration for the development of our Security Risk Profiling product. This year's TAC—well, watch this space. And meanwhile, keep telling us what you think of our products, our services, and the challenges you face. We're listening—and with your help, we're leading.
Back to Top
VeriSign's Keynote on Identity Security at RSA Conference Europe 2006
When Nico Popp, Vice President for VeriSign Security Services, gave a keynote presentation on identity security at the RSA conference Europe 2006, more than 500 people packed the Nice Acropolis Exhibition Centre.
This thought-provoking presentation, titled 'Identity Security: Time to Share' focused on the issues related to identity theft, online fraud, and phishing. Through presentation and demonstration, Popp provided insight into the concept of an identity network and the notion that the 'good guys' should be working on global and intelligent infrastructures that facilitate sharing of intelligence.
One of the most powerful parts of the presentation was a demo scenario, acted out by Andrew Horbury and Mike Davies. One played the part of 'Mr Goodguy,' an ordinary person who uses the Internet to gather information and make personal transactions, including purchases. The other played the part of ‘Mr Badguy,' intent on stealing Mr Goodguy's identity by launching a botnet attack. The scenario included demonstrations of the new High Assurance certificates on the Website of a bank account, the functionality of the VeriSign Identity Protection (VIP) fraud detection services behavioral engine, and the protection provided by using SMS challenge response over an OTP cell phone.
Learn more about the VeriSign Identity Protection (VIP) suite of products .
Back to Top
Monthly Threat Summary
Microsoft's security update for November addresses a number of critical vulnerabilities in Microsoft products, most notably Internet Explorer 6.0, in XML and in the Workstation service. Security experts believe the flaw in Workstation to be significant, as it would allow an attacker to remotely download malicious code on a targeted computer. VeriSign urges all customers to download all applicable patches as soon as possible.
With recent high-profile mass arrests of prominent individuals in the online credit card fraud community, the FBI has succeeded in forcing many popular carding forums offline. However, carding forums have been disrupted by similar events over the past years and have staged dramatic comebacks.
The Stration worm (aka Warezov) continues to spread in massive numbers. It avoids anti-virus software by constantly downloading new variants of itself. Six hours after the worm downloads a Trojan horse program to an infected computer, the Trojan downloads a “spambot” that sends out massive amounts of advertisements.
A new study by Gartner Inc. claims that the number of people who have received phishing e-mails has almost doubled to 109 million, and financial losses due to phishing have risen to $2.8 billion. While fewer people are falling victim to phishing attacks than in 2005, the average reported loss per attack has nearly quintupled. Anti-phishing Web browsers are having some impact, but educating users remains the best way to combat phishing.
In other phishing-related news, PhishTank, an open-source repository for phishing attacks and related information, has released its first statistics analyzing its content . Companies seeking better protection from phishing attacks may also be interested in a recent report by SmartWare, a software testing company, claiming that the newest version of Mozilla's Firefox is more effective than Internet Explorer7.0 in protecting users from phishing attacks. For a useful news article about this report, see Brian Krebs' article in The Washington P ost.
Also, Google has admitted that three recent posts to its Google Video blog contained copies of the Kama Sutra worm. All subscribers should run anti-virus checks on their computers.
Back to Top
News from VeriSign
VeriSign to Acquire inCode Wireless
VeriSign has signed a definitive agreement to acquire inCode Wireless, a global business and technology consulting firm. By combining inCode's strategic consulting services with VeriSign's market-leading portfolio of managed communications and content offerings, VeriSign plans to offer end-to-end solutions that enable customers to launch compelling services that drive new revenue streams and improve customer loyalty. Read the press release.
WestCom and VeriSign Announce Strategic Alliance
WestCom Corp. and VeriSign announced a strategic alliance agreement to jointly market and deliver a suite of next-generation converged IP services to the global financial community. The alliance brings together one of the world's largest providers of trader voice services with the leading global provider of intelligent infrastructure services. Read the press release.
U.S. Department of Education Turns to VeriSign for Meeting HSPD-12 Deadline
The U.S. Department of Education has chosen VeriSign's integrated authentication services to comply with Homeland Security Presidential Directive 12 (HSPD-12), the federal government's secure identity credentialing mandate. VeriSign will provide the government agency with an integrated, managed solution for rapid deployment and prompt compliance with the mandate. Read the press release.
Back to Top
Managed Security Services Panel Discussion
The managed security services marketplace is a confusing beast, because it includes so many diverse vendors. In this panel discussion, Paul Stamp, senior analyst from Forrester Research, poses questions and discusses issues surrounding managed security services with Scott Magrath, VeriSign director of product marketing, and colleagues from BT, Unisys, and Symantec. This is a great opportunity to gain insight into these services, across the IT spectrum.
Click here to register to download this podcast.
Back to Top
January 8-11, 2007 International CES, Las Vegas, NV
VeriSign will be exhibiting its Kontiki product at CES, the world's largest annual tradeshow for consumer technology. VeriSign Kontiki offers the industry's most secure and scalable digital media delivery solution, enabling enterprises and content providers to securely publish, deliver, and track digital media to employees, partners, and customers.
January 14-17, PTC '07, Honolulu, HI
PTC is the #1 Asia-Pacific international conference for telecommunications and ICT professionals. Hard-hitting informative sessions will help prepare you to leverage new partnerships and remain competitive in an ever-changing marketplace. Don't miss the presentation by Sean Kent of VeriSign, Carrier-to-Carrier Enterprise Peering Made Easier, January 15, 1:30 p.m..
February 5-9, RSA Conference, San Francisco, CA
The RSA Conference is the unbiased resource thousands of information security professionals rely on for networking and knowledge sharing. It offers targeted classroom sessions, keynotes by industry luminaries, and a world-class exposition. If you're attending this year's show, please stop by VeriSign booth #1409.
Back to Top