Compliance and Privacy
Compliance and Privacy News )
Essential Reading for Today's Business 24 January 2007

in this issue:
  • VeriSign issues VoIP security tips
  • Mixed bag for users in 2007 security crystal ball
  • Security threats on Web more serious this year
  • Faster payments should not result in weaker authentication
  • HM Revenue phish surfaces
  • Email marketing abuse is rife among top UK companies
  • PayPal users to get pass-code device
  • Draft MiFID guidelines published
  • Script kiddie phishing kit
  • Anti-malware system goes in goal at Derby after Trojans land in net
  • Six people arrested for hacking over 20,000 computers
  • HP PI pleads guilty to identity theft
  • New E-Commerce Identity Tag Makes Online Debut
  • VeriSign offer bounty on Vista and IE7 bugs
  • Cost of Identity Theft to UK Economy

    Dear Visitor,

    If you thought that security, privacy and compliance would be less in the news in 2007, think again. We predicted it, in a way, by moving to twice a month for the newsletters, but the sheer volume of news items has even surprised us.

    We're only putting a selection of news items in this newsletter - it's about 50% of the items we've published since January 4th. Everything goes out on our news-feed, of course, so early-birds can see all items as they happen. Have you subscribed to that yet? Internet Explorer 7 makes that easy, and you really need that now that browser address bars are starting to turn green.

    Phishing is set to increase. Every authoritative source says so. 2007 is already bursting with phishing expeditions, and that's just online, and, as we saw in the last issue, on the phone, too. But Identity Theft is growing in physical form, too, hence PayPal's strides with testing of a personal passkey device

    Not that any of this will save people from spending money on legitimate looking websites, as in Spain recently, but that is what SSL is for, and trusting only valid certificate providers whose details tally. So we are back to "How green is my browser?"

    Peter Andrews

    VeriSign issues VoIP security tips

    A blog written by security staff at supplier VeriSign has outlined 25 ways to secure an enterprise network that runs voice over IP (VoIP).

    VoIP security has been a key concern for IT professionals to date, along with VoIP quality.

    The tips include restricting all VoIP data to one Virtual Local Area Network (VLAN); monitoring and tracking traffic patterns on your VoIP network; using multiple layers of encryption; and even avoiding remote management.

    Other tips are: to lock down your VoIP servers; keep your network away from the internet ; update patches regularly; minimise the use of softphones; isolate voice traffic; and use vendors who provide digital security certificates.

    Mixed bag for users in 2007 security crystal ball

    2007 will bring a mix of the good and the bad with respect to security. There'll be more phishing attacks, more zero-day exploits, and more agenda-driven malware attacks. A shake-up in the security channel is looming. But the launch of Vista promises more security for users, and there'll be opportunities for VARs to develop new strategies around delivering product to new markets.

    Phishing attacks, already increasingly a common occurrence, will only increase in number and force, according to Zulfikar Ramzan, senior principal researcher, Advanced Threat Research Group, at Symantec .

    "In 2007, we will see a continued increase in phishing attacks," he said. "We will also see an uptick in attacks on new on industry sectors, such as online retail, and on multi-player online games, as they become more popular. Symantec's always working hard to stay one step ahead of malware authors, so we will be bringing out a lot of heuristic-based new technologies in 2007."

    Security threats on Web more serious this year

    It was the year when cybercriminals targeted everything from MySpace to Wikipedia, and even a Web site maintained by a Kentucky Boy Scout troop wasn't safe for casual browsing.

    Computer security experts said 2006 was also the year that hacking stopped being a hobby and became a lucrative profession practiced by an underground of computer developers and software sellers.

    Like true business people, bad guys not only broadened their reach by attacking popular social networking sites, they also diversified their product line by launching attacks through popular software applications like PowerPoint and Adobe Reader and expanded their activities overseas.

    Software makers who try to stop online crooks say they are bracing for a new level of nastiness in 2007, including malicious Web sites that are booby-trapped with software that automatically loads itself onto users' machines who just visit a site.

    Faster payments should not result in weaker authentication

    The 11 faster payments member banks are progressing rapidly with their implementation projects ahead of the November 2007 deadline. However, as the systems being developed will enable a payment to be processed in less than 15 seconds, there is no time to stop a payment, and adequate authentication of the transactions becomes critical.

    Paul Meadowcroft, head of transaction security at Thales e-Security, commented: "While the 11 member banks have accepted the rationale and, indeed, benefits faster payment services (FPS) will bring, especially from a customer satisfaction point of view, they are equally aware that FPS has a significant impact upon their fraud risk modelling. Put simply, current systems are not up to the challenge of receiving a payment instruction from a variety of different channels and strongly authenticating that person to prove they are who they say they are within the 15 second transaction processing time limit."

    "The effect of this will be felt on many levels. From a basic cost point of view, it exposes the bank to higher risk from fraud and money laundering. However, potentially more damaging could be the effect upon customer satisfaction should the customer fall victim to fraud. Furthermore, it could have a negative impact upon the brand equity of the bank if such failings are perceived to exist."

    HM Revenue phish surfaces

    Phishing fraudsters are targeting UK taxpayers in the latest attempt to dupe the gullible into handing over sensitive financial details.

    The bogus emails promised prospective marks a fictitious tax refund of 70. The attack represents part of the ongoing trend for fraudsters to extend to scope of targets for fraud beyond traditional targets such as eBay, PayPal and Bank of America.

    Email marketing abuse is rife among top UK companies

    A study of the UK's biggest companies has found 31% of them breaking anti-spam laws by sending marketing emails without either prior consent or an existing customer relationship.

    CDMS, a data and marketing firm, examined compliance with the EU Directive on Privacy and Electronic Communications by the top 200 companies across 13 sectors, including banking, general insurance, retail and mobile telecoms.

    The companies were tested to see whether they consistently offered non-customers the opportunity to actively opt-in or otherwise consent to further marketing emails when their details were recorded as the result of a promotion or enquiry. These promotions appeared either on the company's own website, through a partner company's website, in a third party e-newsletter, or as part of an advertising or direct mail campaign.

    PayPal users to get pass-code device

    eBay is getting ready to offer its PayPal users a password-generating key fob that promises to increase the security of the online payment service.

    The device displays a new one-time password in the form of a six-digit code about every 30 seconds. PayPal clients who opt to use the device will enter this password along with their regular credentials when signing into the service. The key fob is meant as another weapon in the battle against data-thieving phishing scams.

    A PayPal spokeswoman said: "If a fraudulent party somehow got hold of a person's username and password, they still wouldn't be able to get into the account because they don't have the six-digit code. This by no means is a silver bullet that is going to stop fraud. This is just another layer of protection."

    The "PayPal Security Key" will cost $5 for personal PayPal accounts but will be free for business accounts, the spokeswoman said. PayPal has been testing the device with employees for a couple of months and plans to start trials with customers in the next month or so, she added. As of 30 September, there were nearly 123 million PayPal accounts, according to eBay.

    Draft MiFID guidelines published

    MiFID Connect, a joint project designed to simplify implementation of the Markets in Financial Instruments Directive, has published a set of draft MiFID guidelines for firms.

    The guidelines, covering investment research, suitability and appropriateness, best execution and conflicts of interest, are based on draft Financial Services Authority text and relate to the FSA's expected rules on implementing MiFID.

    They have been developed by trade associations such as the Association of British Insurers (ABI) and the British Bankers' Association (BBA).

    Script kiddie phishing kit

    A DIY phishing kit which could put formerly sophisticated fraud attacks into the hands of script kiddies is now available online.

    "The Universal Man-in-the-Middle Phishing Kit enables fraudsters to sit between prospective marks and legitimate businesses," says The Register . "Rather just setting up a bogus website that's promoted through spam email, crooks set up a fraudulent website as a conduit through a legitimate website to communicate with their victims. The technology allows con men to automatically capture victims' personal information in real-time."

    Said to have a user-friendly interface designed to help the nontechnical criminal, rhe kit, "automates the programming needed to pull off a normally tricky man-in the middle attack on websites such as banks or e-commerce sites," says PC World .

    Anti-malware system goes in goal at Derby after Trojans land in net

    Derby County Football Club has replaced its anti-virus systems with advanced anti-malware technology, following an attempted hacking attack on its networks.

    The football club stepped up its security after discovering that its anti-virus system had failed to detect Trojans that could allow hackers to access its networks.

    It replaced the system with technology from Prevx which disrupts malware by blocking any unknown program running on the network.

    The club was forced to shut down its network of 100 PCs in September last year after discovering copies of the Rbot worm, which installs a backdoor for hackers, on a laptop. System logs showed that hackers had attempted to use the Rbot backdoor to break into the football club's network.

    Six people arrested for hacking over 20,000 computers

    A 19-year-old man who had an international arrest warrant out for him led the group, which created bogus web pages that people logged on to add money to pre-paid cell phone accounts.

    Spanish Police have arrested six people suspected of hacking more than 20,000 computers in Spain to steal credit card numbers and other personal bank data in Navarre.

    The arrested were identified as five Moroccan nationals and one Spanish woman from the Spain's African enclave of Ceuta.

    The suspects created bogus web pages that people logged on to add money to pre-paid cell phone accounts, offering a large discount over the going rate for the service. Through those webs they collected the bank data of these unsuspecting consumers, police said in a statement.

    HP PI pleads guilty to identity theft

    A private investigator, hired by HP, pleaded guilty to charges of identity theft and conspiracy in the US on Friday.

    Bryan Wagner, 29, a data broker hired by the IT giant last year to probe the source of a news leak, pleaded guilty to the charges during his first appearance in a Californian court last week, according to a statement by the US Attorney.

    In court he admitted using "fraud and deceit" to obtain the private telephone records of company directors and journalists. The case will be the first conviction resulting from the HP boardroom leak scandal, with the Colorado resident facing up to seven years in prison. He will be sentenced in June.

    "In pleading guilty to two felony counts, Wagner admitted that he was paid as part of a conspiracy that made fraudulent use of Social Security numbers and other confidential information to obtain the personal phone records of reporters and HP officials, as well as the personal records of these individuals' family members," said a US Department of Justice spokesperson in a statement.

    New E-Commerce Identity Tag Makes Online Debut

    A long-promised technology for helping consumers verify the legitimacy of commercial Web sites made its debut on the Internet Friday: Visit online security company Entrust 's login page with Microsoft's Internet Explorer 7 Web browser and you'll notice that the address bar has turned from white to green.

    Entrust's site appears to be the first to feature what are being called " extended validation certificates ," a development that is equal parts technology, process and collaboration. It comes in response to an epidemic of phishing attacks, or online scams in which bad guys erect Web sites that impersonate trusted e-commerce and banking sites in order to trick users into revealing personal and financial data.

    VeriSign offer bounty on Vista and IE7 bugs

    VeriSign's iDefense unit is offering an $8,000 bounty to researchers who discover previously undocumented vulnerabilities in either Windows Vista or IE7.

    The flaws need to be serious enough to allow the remote execution of malware on up-to-date installations of the targeted platforms. Bugs that only crash systems, require social engineering tricks, have been previously disclosed or rely on interactions between Microsoft's software and third-party products won't qualify for payment.

    But for researchers who submit their zero-day vulnerabilities alongside working exploit code additional payments of up to $4,000 are on offer via iDefense's controversial Vulnerability Contributor Program. Submissions need to be made before the end of March to qualify. Only the first six correct entries will qualify for the loot.

    Cost of Identity Theft to UK Economy

    The Home Office Identity Fraud Steering Committee completed a one-off exercise to update the Cabinet Office estimate for the purpose of establishing trends in the cost of identity fraud over the past three years. The latest estimate is that identity fraud costs the UK economy 1.7 billion. As with the previous study, it represents a best estimate of the scale of the problem.

    Quick Links...


    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.