to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News - Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y		 We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX - BCS Security Forum
'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example
A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use
basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

VeirSign Security Reviews

compliance and privacy

Current News Updates

VeriSign Security Review - May 2006

As phishing continues to mature, one of the last sanctities supposedly free of such malice has been under attack. The SSL/TLS encrypted Web page used for securely transmitting private information has seen increased abuse by phishers. They took advantage of loopholes in some SSL Certificate practices and obtained certificates that make them look legitimate.IE 7 will change that, and enterprise security managers should take notice:  the advent of High Assurance Certificates will prove its long-term effectiveness against phishing.

In this issue:

Hot Topics

Standards and Regulations

News from VeriSign

Security Events

Hot Topics

MetaFisher – The New Face of Botnets

Three The last two years saw the emergence of Web-controlled botnets used for attacks such as phishing, and MetaFisher was the most sophisticated such botnet.

MetaFisher appeared in 2005 as a Bot and security analysts knew immediately that it was a highly sophisticated work in progress. In late 2005, at the height of the Microsoft Windows Media File (WMF) incident, MetaFisher activity ramped up. In February 2006, when VeriSign iDefense Labs spotted MetaFisher's unusual encrypted communication with a Web site, it investigated further and discovered that a sophisticated command-and-control center via a PHP interface was used to manage a bot family and trigger phishing attacks. MetaFisher managed to evade anti-virus and intrusion detection systems by running as a browser help object (BHO) on the infected computer.

In March, VeriSign iDefense Labs broke the encryption scheme used to control MetaFisher infected computers and, through painstaking analysis and cooperation with other researchers such as Sunbelt Software and Symantec, correlated the codes and scope of the attacks to date which included banks in the U.K., Germany, and Spain. The VeriSign iDefense team then worked with VeriSign's Security Operations Center (SOC) to develop and deploy snort signatures to effectively detect MetaFisher activities.

VeriSign leveraged its intelligent infrastructure services supported by a team of analysts and engineers to best understand the full scope of this massive and sophisticated operation. VeriSign also had the customer reach to prevent devastating attacks on financial targets.

Back to Top

April Threat Summary

The VeriSign iDefense Threat Level eased after patches came out for the Microsoft 06-012 vulnerability. Microsoft, however, has just released two new critical bulletins, Microsoft 06-019 involving Microsoft Exchange, and Microsoft 06-020 involving Macromedia Flash in Windows XP and IE 6. Both could allow remote code execution.

Cloudmark detected two phishing schemes that used Voice over IP (VoIP) to collect personal banking information. Phishers may have been using this technique for some time, though these are the first detected attacks of their kind. More at Information Week.

Sendmail, Inc. reported a race condition vulnerability that affects the mail transfer agent on a wide scale.  A remote, unauthenticated attacker could execute arbitrary code with the privileges of the Sendmail process. If Sendmail is running as root, the attacker could take complete control of an affected system. Sendmail has provided an Advisory and a new version of the software is available.

On April 18, Oracle Corporation released a security bulletin that addressed 39 vulnerabilities in multiple products. The security bulletin did not release details on those vulnerabilities.

Back to Top

IE 7 Beta 2 Released

Microsoft has released an updated test version of IE 7 for Windows XP and is hoping to convince the public to try out the evolving software. To help spur downloads of IE 7 Beta 2, the company is offering free telephone support for customers in Germany, Japan, and North America.

Asia Now #1 Spammer

Asia has overtaken North America as the top spam relaying region in the world, according to a report released on Thursday by Sophos. According to the report, nearly one half the spam worldwide originated in Asia. North America was a distant second with just over 25 percent. On a per-country basis, the U.S. remains Number One while China is a close second. Read more .

Authorize.net Hacked

Online payment service provider Authorize.net reported on April 3 that its online processing service had been used by hackers attempting to steal money from credit and debit cards. The hackers ran 3,000 transactions on stolen credit cards over one weekend, but the theft was foiled when the Authorize.net auto-generated email alerted merchants of the processed payments. All fraudulent charges were voided.

Back to Top

Standards and Regulations

GAO Reports On SOX Burden

The Government Accountability Office (GAO) is releasing a report confirming that smaller firms indeed carry a proportionally heavier financial burden on Sarbanes-Oxley compliance. The SEC needs to come up with new regulations aimed at reducing smaller firms' compliance cost, the report says. It does point out that a lot of the cost is due to confusion and one-time startup costs.

First Local WiFi Security Law

Concerned with identity theft and other crimes over the wireless networks, New York's Westchester Country enacted a law that requires businesses to install basic security measures when customers' personal information is transmitted via wireless networks. Read more .

Back to Top

News from VeriSign

VeriSign Hosts Risk Management Talks

With a keen understanding of customers' needs to balance security investments with security risks, VeriSign is inviting IT professionals to a series of risk management talks. In this six-city tour through New York, Washington, D.C., Atlanta, Chicago, Dallas, and Mountain View, IT professionals will have a chance to mingle with each other and hear discussions on the holistic view of threats, vulnerabilities, network access policies, and potential business impacts in assessing security risk.  VeriSign will demonstrate how to dynamically generate a risk score including financial impacts, to simulate and model the effects of changes, and to measure compliance with both internal and external policies and regulations.

Back to Top

Get Ready for IE 7

High Assurance SSL: What Does It Mean To You?

Many enterprise customers have asked about the upcoming Microsoft IE 7 release and what it would mean to enterprise security. VeriSign is engaged in one of the most significant developments in IE 7: the new High Assurance SSL Certificates for securing online transactions.

With the new IE 7 release, there will be a new kind of SSL Certificate to assure users of the identity of an encrypted site. Whereas other certificates will retain the same cumbersome user interface as they have in Internet Explorer 6, High Assurance certificates display the organizational identification and the issuing certificate authority (CA) right in the top address bar and also turn the address bar green to signal safety.

image

To issue a High Assurance certificate, the CA must validate the applicant organization through vetting processes that meet the High Assurance standard. To meet the High Assurance standard, a CA may have to bolster its certificate issuance practices. Issuing a certificate merely upon verifying the domain name ownership, for example, does not meet the High Assurance standard and can not be displayed as such.

Back to Top

What Should You Do to Get Ready?

As IE 7 gets wider market adoption, site visitors will likely be looking for High Assurance when they consider giving up personal information. For large enterprises, High Assurance certificates will not only bolster customer confidence, but in the long run, it will also become one of the most effective anti-phishing tools, as they are nearly impossible to spoof.

Prepare to meet your customers' demand for IE 7 and High Assurance SSL by talking to your certificate authority (CA). You may be going through a more stringent vetting process than before. Your IT manager in charge of certificate issuance, for example, may need further proof that he or she indeed has the authority to do so. Other administrative steps to ensure a smooth transition include making sure that your registered domain names are correctly listed and have the right contact names. VeriSign has been a leading contributor to the emerging High Assurance SSL standard. Contact your VeriSign representative for more information.

Back to Top

Security Events

May 23-25, 2006
World Enterprise Information World
Secaucus, NJ 

June 4-6, 2006
GLOBALCOMM 2006
Chicago, IL 

June 5-7, 2006
Gartner IT Security Summit
Washington, D.C. 

June 6-7, 2006
NACHA Authentication Mandate
Reston, VA

June 27-29, 2006
Identity Management Conference
Chicago, IL

Back to Top

 


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.