to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News - Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y		 We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies
Trust is not about SSL, It's about Domains - ComplianceAndPrivacy Survey
Centralised UTM - a Wick Hill White Paper
Mobile & Remote Working - Is it secure? Wick Hill
UK Informatiomn Commssioner prosecutes two London solicitors. Both fined
UK Information Commissioner prosecutes ADC Organisation. Convicted and fined.
Marks & Spencer ordered to encrypt laptops - UKIC
Dam Data Leakage at Source - Wick Hill
We do not regulate BlueSpam - UK Information Commissioner
Beware Internet Flash Mobs - Eversheds e80

news archives:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example
A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for the 21st Century
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use
basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

News - a Roundup of all the Current News Items, Newest First

Current News Updates compliance and privacy

A summary of all the news items on Compliance and Privacy

To avoid long load times news is archived periodically. If you can't find what you are looking for on this page please refer to our archives. Please use the search engine for ease of retrieval.

Main News page | Archives: (oldest) 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 (most recent)

Phorm, Webwise, OIX and the BCS Security Forum

Phorm over function? Perhaps that's the challenge in relation to marketing desires clashing with privacy hopes. But given the starting point of the Phorm furore, in the Spring of 2008, we are now in the Autumn of 2008 and its been nothing but data breach after user faux pas exposing countless millions of individuals' personally identifiable information that has focussed the spotlight firmly upon the need to apply "privacy by design" principles from the outset - something that the ICO will be taking a very serious view of in the coming months. The BCS Security Forum is equally involved in keeping a watching brief.

Read the BCS Security Forum Position Paper

Are you storing customer data properly? The challenges of PCI DSS compliance

Data security breaches are hitting the headlines with alarming frequency. While the most recent breaches have involved the public sector and financial services industries, retailers are not immune from the rise of data losses. Cotton Traders, the UK leisurewear and casual clothes brand, for example, recently conceded that thousands of customer details had been stolen from the company's website. Last year saw perhaps one of the most publicised cases involving retail giant, TJ Maxx, which found that hackers had accessed internal systems used to process and store customer transaction data, including credit card, debit card, cheque and return transactions. The incident cost TJ Maxx $256 million1 and the company is now offering to pay Visa card issuers a further $40.9 million2 to compensate for costs connected to the data breach. With data security cases rising in number and severity, the various industries affected are pulling together in an attempt to reduce the risk of fraud. The Payment Card Industry Data Security Standard (PCI DSS ) is one such example which aims to crack down on fraud associated with credit and debit cards. However, the implementation of PCI DSS is not without its challenges and these must be overcome if the standard is to be used as an effective weapon in the fight against card fraud.

PCI DSS aims to prevent any information that could be used to make a counterfeit card or a fraudulent online transaction from falling into the wrong hands. The standard applies to every acquiring bank, merchant and third party that accepts or processes payment cards. It is now mandatory for businesses with over 100,000 transactions a year to either be PCI DSS compliant or be able to demonstrate plans to become so. However, there is one element of the standard which is proving to be a particular stumbling block – requirement 3: protecting the stored cardholder data. In fact, 79 per cent of PCI DSS audit failures are due to companies not implementing requirement 3 properly.

Read the Article

Data Vendor Sends SPAM aboutThe Dangers of Prospecting Databases

Today (4 September, 2008) ComplianceAndPrivacy.Com received an email that appears to be from Harris Infosource, a D&B Company. Not a lot wrong with that, you may say. The email is a cold unsolicited email, or SPAM, What makes this amusing is that the SPAM has this subject line:

"Why Using Cheap Prospect Lists Can Cost You Big!"

Harris Inforsource, it seems, are the purveyors of fine prospect lists.

Harris addressed their SPAM to Milton Bennett at our domain. If Milton existed, if Milton had ever existed, if we had ever created, used, publicised an address for Milton, who is not now and never has been a member of our staff, then this would have been something we could pass off as "just one of those things". But we have never heard of Milton Bennett. He is a figment of Harris Infosource's database. We wonder if they are selling him as a part of their very fine data.

Read the article

Bank CustomerPersonal Data Sold on eBay

An investigation is under way into how a computer containing bank customers' personal data was sold on an internet auction site.

The PC, which was reportedly sold for £35 on eBay, had sensitive information on the hard drive.

The Royal Bank of Scotland (RBS) and its subsidiary, Natwest, have confirmed their customers' details were involved.

RBS says an archiving firm told it the PC had apparently been "inappropriately sold on via a third party".

It said historical information relating to credit card applications for their bank and others had been on the machine.

The information is said to include account details and in some cases customers' signatures, mobile phone numbers and mothers' maiden names.

Read more on the BBC

Best Western Denies Report of Massive Data Breach

A Scottish newspaper Friday ran a story that claimed to uncover a massive theft of data from Best Western's customer database, including personal information on all 8 million customers at the chain's 1,300 hotels in the past year.

After initially thanking the newspaper and doing its own investigation, however, the hotel chain now says The Sunday Herald's report of a massive breach at Best Western is "grossly unsubstantiated."

In its report, The Sunday Herald stated that "a previously unknown Indian hacker successfully breached the IT defenses of the Best Western Hotel Group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia." The newspaper called the attack "the greatest cyber-heist in world history," alleging that it "scooped up the personal details of every single customer that has booked into one of Best Western's 1,312 continental hotels since 2007."

The newspaper stated that Best Western officials thanked it for discovering the breach and immediately closed the security hole by Friday afternoon. "Best Western took immediate action to disable the compromised login account in question," a hotel spokesman told the paper on Friday. "We continue to investigate the root cause of the issue, including, but not limited to, the third-party Website that has allegedly facilitated this illegal exchange of information."

Last night, however, Best Western stated that its own investigation indicates that only about 13 customers are at risk, not 8 million.

Read the denial in Dark Reading

Best Western Data Loss - Indian hacker alleged brain behind biggest cyber-heist

An unknown Indian hacker is being 'charged' with the greatest cyber-heist in history for allegedly helping a criminal gang steal identities of an estimated eight million people in a hacking raid that could ultimately net more than 2.8 billion pounds in illegal funds.

An investigation by Scotland's Sunday Herald newspaper has discovered that late on Thursday night a previously unknown Indian hacker successfully breached the IT defences of UK's Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

There are no details yet on how the hacker was identified to be an Indian and if a probe is on to identify the person. It is also not known if the hotel chain has alerted the police about the heist.

Read the Economic Times Article

Republic of the Phillipines can’t do without policy on data privacy, security

Under no circumstances can the Philippines compete, let alone thrive, in the lucrative outsourcing market and the global marketplace without a fool-proof policy on data protection and security.

This was the clear message sent out by participants in a recent conference dubbed "Mapping the Future of Information Security Forum" organized by the Information Systems Security Society of the Philippines (ISSSP) at a hotel in Makati City.

Anthony Tuason, a director at consultancy firm PriceWaterhouseCoopers, said during his presentation that IT companies, most especially those in the BPO sector, cannot possibly institute "IT governance" — the process of using technology as to management tool to run an organization — in the workplace if security is being disregarded.

"Innovation, value, and performance can be derived from IT governance (and) data privacy and security is one area that helps organizations achieve their IT governance objectives," Tuason said.

Read the Manila Bulletin article

Vietnam introduces heavy fines for spammers

Organisations and individuals who send spam mail and text messages or trade in e-mail addresses may be fined up to VND80 million (US$5,000), according to the newly-issued Decree on Anti-spam mail.

The decree bans organi-sations and individuals from using electronic means to deliver spam messages, exchange or trade e-mail addresses or deliver software products that collect e-mail addresses, according to the Ministry of Information and Communications.

Read the Viet Nam News article

National Gateway Security Survey 2008 Shows Interesting Changes in Threat Landscape

Main findings

  • Strong move towards remote and mobile use.
  • Securing the network from external attack is top priority.
  • The focus for IT security is on external threat rather than internal threat. This is at variance with the threat risks most organisations face.
  • Green issues considered important, but that is not yet translating into purchasing IT security
  • Conditions right for UTM growth
  • Users' purchasing decisions show IT security is not commoditised.
  • Wireless and VoIP increasing

Read the article

Unified Threat Management (UTM) - Watchguard Technologies

Unified threat management (UTM) spawned a new era of IT security. The promise of these integrated security appliances proved to be an exceptional and efficient way of securing commercial networks. However, businesses today face an inflection point, dictated by changing market trends and new technologies that demand more of today’s UTM. Hence the need is for eXtensible threat management (XTM) solutions, the next generation of UTM appliances. XTM is predicated upon the substantive expansion of three elements: more security, greater networking capabilities, and more management flexibility. This paper provides an overview of these issues and the WatchGuard® Technologies perspective on “extensibility” and XTM.

Read the article

Trust is not about SSL. It's about Top Level Domains

At ComplianceAndPrivacy we've been running a study on domains to trust. We don't mean "trustmydomain.com", we mean the thing most people call the 'domain suffix' but is really the 'Top Level Domain'; the little thing that you choose when buying "myfabulousdomain".

Do you choose .com, or do you think, incorrectly "That is for the USA"? Do you choose .biz? Is .org for you? What about .info?

So we asked, on a pretty normal website, this question: "Some domains seem to feel more trustworthy than others. This survey is about the .com .biz .info .org and other domain suffixes and which put you most at ease. OK, there are iffy nations, but we are lumping all national style ones under one entry. Tick all that say to you 'Trust this domain'"

We expected nothing significant. After all it was a website for Joe Q Public, and this is what we got:

Read the Article

How Centralised Unified Threat Management (UTM) Can Help Companies Control Security At Remote Offices, Simplify Administration And Cut Costs

Summary

  • In today's distributed computing environment, it is becoming increasingly important to control security at remote locations from the centre.
  • Companies such as WatchGuard are now providing unified threat management (UTM) solutions with strong centralised control.
  • The problems when centralised control is not strong include -
    • difficulty implementing company security policies across the whole network
    • no clear visibility of what is happening across the network
    • branches failing to carry out all security updates and procedures
    • difficulty in providing audit logs
    • lack of availability of skilled staff at remote sites
    • higher costs to support remote sites.
  • Looks at the centralised management features provided by WatchGuard in its UTM solutions, which give tight, centralised control of security across the network.
  • Features include drag and drop VPN tunnel creation; and an easy to use real time monitoring system with clear, intuitive graphical interface
  • Two typical scenarios of how a unified threat management system with centralised control makes controlling remote security easier and more cost-effective.

Read the article

Mobile and Remote Working - Is it secure?

By Ian Kilpatrick, chairman of Wick Hill Group, specialists in secure infrastructure solutions

Summary

  • Unstoppable move towards remote and mobile working
  • Mobile working is not adequately secured.
  • Organisations are concerned about security for mobile and remote workers and how to enforce company security policies outside the gateway.
  • Companies want to protect against data leakage and data loss from such problems as stolen laptops.
  • There is no one solution to securing remote working.
  • The range of solutions includes strong authentication, end point security, remote unified threat management (UTM) systems, low-cost encryption and VPNs.

Read the article

GrierOlubi and Bentleys - Individual solicitiors convicted for data protection offences

The Information Commissioner’s Office (ICO) has today successfully prosecuted two London solicitors for offences under the Data Protection Act. Olubi Adejobi of Grier Olubi Solicitors and Robert Bentley of Bentley’s Solicitors, both based in London, were each fined £300 and ordered to pay costs of £500 plus a victims’ surcharge of £15 at Stratford Magistrates’ Court. Each solicitor must pay a total of £815 in fines and costs.

Today’s prosecution follows the failure of both Mr Adejobi and Mr Bentley to notify as data controllers despite repeated reminders from the ICO of their obligations under the Data Protection Act.

Under the Act, organisations that process individuals’ personal information may be required to notify with the Information Commissioner at a nominal cost of £35 per year. Despite being told to notify, both Mr Adejobi and Mr Bentley have failed to respond to any of the ICO’s correspondence and have still not notified.

Read the article

ADC Organisation prosecuted for data protection offences

ICO prosecutes debt company for breaching marketing rules

A Manchester debt recovery company has been successfully prosecuted by the Information Commissioner’s Office (ICO) for bombarding individuals and businesses with unwanted faxes. The action follows thousands of complaints from individuals and businesses to the ICO and the Fax Preference Service (FPS).

ADC Organisation Ltd (ADC) pleaded guilty to six charges under the Privacy and Electronic Communications Regulations and has been fined £600 (£100 per charge). The organisation was also ordered to pay £1,926.25 in costs. ADC must pay a total of £2,526.25 in fines and costs.

Read the article

ICO takes enforcement action against Marks & Spencer

M&S ordered to encrypt all hard drives by April 2008

The Information Commissioner's Office (ICO) has found Marks & Spencer (M&S) in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 26,000 M&S employees.

An ICO investigation revealed that the laptop, which contained details of the pension arrangements of M&S employees, was stolen from the home of an M&S contractor. In light of the nature of the information contained on the laptop, it is the ICO's view that M&S should have had appropriate encryption measures in place to keep the data secure.

Mick Gorrill, Assistant Commissioner at the ICO, said: "It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption. The ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act.

“Organisations which process personal information must ensure that information is secure – this is an important principle of the Act. If organisations fail to introduce safeguards to protect information they risk losing the trust and confidence of both employees and customers.”

read the article

Bereaved man sickened by marketing 'breach'

A consultant in data privacy has slammed a crematorium for its "tasteless" posting of marketing material, claiming that it broke the law.

Tim Trent, 55, cremated his mum Connie at North East Surrey Crematorium last November and thought that would be the end of the matter.

But three days later, he was stunned to find a glossy brochure on his doormat, advertising memorials, plaques, flowers and other services offered by the crematorium.

Mr Trent said: "It hit me in the face like a sledgehammer. We had a really good send-off for my mother, and thought that chapter of our life was closed. I didn't expect this at all, so it was gloriously distasteful."

Read the Wimbledon Guardian article

European Data Protection Supervisor condemns data protection legislation

The European Data Protection Supervisor (EDPS) has condemned the inability of existing legislation to protect citizens against practices and proposals that amount to the creation of a state-sponsored surveillance society.

EDPS Peter Hustin called on the European Parliament to pass primary legislation to define and protect personal data. He also asked for specific laws to protect such data from abuse under new data collection and exchange proposals from law enforcement agencies.

He said agencies that collect, process and store the data should provide information that would allow individuals to modify their behaviour to avoid being "profiled" and to obtain redress for errors and abuses.

The recommendations were part of three opinions that the EDPS issued in December. The opinions are his response to practices and proposals related to the fight against terrorism and organised crime. Many of them have arisen since 9/11.

Read the Computer Weekly story

FBI eyes British identity data

The US Federal Bureau of Investigation is seeking British co-operation in setting up an internationally accessible biometric database of known and suspected criminals and terrorists.

Read the Computer Weekly story

Dam Data Leakage at Source

Ian Kilpatrick, chairman of Wick Hill Group, looks at damming data leakage at source.

Summary:

  • Computer networks have become increasingly open and accessible by more and more users. Huge growth in the use of mobile, wireless and remote computing
  • These changes in computer networks have left confidential data at risk of being seen by those unauthorised to view it.
  • Those wanting to view data without permission include employees and those outside an organisation. The motive may be non-malicious, or malicious, or criminal.
  • Laptops are particularly vulnerable to data loss or theft, with laptop losses reported ever more frequently.
  • Losing data damages a company's reputation, puts them in breach of the Data Protection Act and may by very costly, including the possibility of being fined.
  • If sensitive information, such as financial details, is lost, it may leave customers or staff exposed to identify theft.
  • Currently, the protection of data is mainly inadequate. Because of the rapidly changing structure of computer networks, companies should review the way they protect the security of data.
  • The highest risk areas for losing data are through email, through remote access and through laptop use.
  • Encryption is the best way to secure data. It is now both easy-to-use and low cost.
  • Encryption technology is now moving towards Unified Encryption Management (UEM), which means that encryption is centrally managed throughout an organisation, including for office based systems, mobile and remote access.

Read the article

UK Information Commissioner does not regulate BlueSpam

Following discussions with the Department of Business, Enterprise and Regulatory Reform and others the Information Commissioner’s Office has amended its guidance on the Privacy and Electronic Communications Regulations 2003. The guidance previously stated that marketing messages sent using Bluetooth technology would be subject to PECR rules relating to the sending of unsolicited marketing.

Read the article

Flash mobs - the next online threat

Estonia has one of the most technologically advanced populations in Europe. Events in the last few months, though, have perhaps given the rest of Europe a taste of what might be the next real threat on the internet, flash mobbing.

Flash mobbing is where a group of people meet online to coordinate attacks on an organisation either by their physical presence (such as everyone turning up at one furniture shop) or online. Common attacks include sending emails to the same website at the same time or using the website for mass queries with the aim of taking the server down.

Flash mobbing has been headline news in Estonia as its government uses technology extensively, for example allowing widespread use of e-voting in the last elections. The government's servers were attacked in the summer by a flash mob thought to have had connections with neighbouring Russia.

According to a report in  vnunet.com, protestors created tools designed to damage government servers, and then publicised the attack and their tools so that people could join them in the attack. Already we have seen these same techniques used to attack companies, individuals (such as the former UK TV personality Keith Chegwin) and political figures (including the former UK Prime Minister Tony Blair).

Read the article

Thales's Mobile VPN Solution Secures the Use of Public Wireless Networks

SafeMove ® Mobile VPN solution makes it easier and safer to use hotel broadband networks and Wi-Fi hotspot networks

Thales, a leading supplier of IT security products and solutions for all critical infrastructures , today (4 October 2007) announced a new version of its SafeMove Mobile VPN solution incorporating an innovative Hotspot Login Assistant. The enhancement makes untrusted public networks easier and much safer for users who require remote access to corporate networks. The Hotspot Login Assistant feature makes Thales's SafeMove the leading remote access solution, truly addressing all security dimensions, including critical human factor issues.

According to the latest figures from the Office of National Statistics, the number of people in the UK who work mainly from home doubled between 1997 and 2005 to 2.4 million workers.  Supporting the desire for increasing levels of flexibility, the number of workers using multiple locations experienced the strongest growth, accounting for 6 per cent of all workers in 2005.  These statistics reflect a worldwide trend that supports the need for advanced security solutions, such as SafeMove, to safeguard the information of companies and individuals wishing to access private data and applications from a variety of locations.

read the article

Thales SafeSign packages revolutionise delivery of identity management and authentication pilot schemes

Thales offers its award-winning end-to-end strong authentication solution, SafeSign, in a range of pilot packages for enhanced ease of installation and configuration

Thales today (1 October 2007) announces that it is launching individually packaged pilot versions of its market-leading identity management and authentication solution, SafeSign. This innovation enables enterprises such as banks and government agencies to assess the value of a solution against their specific business needs in a faster and more cost-effective manner. By using a SafeSign pilot package, organisations can have the solution operational in under 20 minutes, revolutionising the pilot phase and saving valuable project time.

Read the article

ICO takes action against unsolicited faxes

The Information Commissioner’s Office (ICO) has ordered two debt recovery companies to stop sending unwanted faxes to individuals and businesses. This action has been brought under the Privacy and Electronic Communication Regulations (PECR) following hundreds of complaints from individuals and businesses to the ICO and the Fax Preference Service.

The ICO has issued Enforcement Notices against Clear Debt Solutions and ADC Organisation Ltd after both companies repeatedly sent unwanted marketing faxes to individuals and companies who were registered with the Fax Preference Service or who had not given consent to receiving such faxes.

Read the article

Dechert - Bluespam - Is It Legal?

"Bluespam: Is it legal?" examines whether so called bluespam falls within the restrictions imposed by the Privacy and Electronic Communications Directive and whether organisations can therefore be prevented from marketing via bluetooth without first obtaining consent. It also considers the practicality of obtaining consent from bluetooth users and discusses the options for Bluetooth users who do not wish to receive bluespam.

Read the article

Ponemon Institute Examines Security Risk Posed by Off-Network, Data-Bearing Equipment

Study Finds Vast Majority of Data Breaches Involve Unprotected Confidential Information on Off-Network Devices

On August 7, financial services firm Merrill Lynch reported the theft of a laptop computer from its New Jersey corporate office – a computer containing sensitive personal and financial information, including Social Security numbers, for 33,000 of its employees. Such breaches of confidential information have become routine news for one simple reason: though sparing no expense to guard the security of their networks, corporations often fail to protect data on devices that are disconnected from the network.

According to a new study by the Ponemon Institute, 73 percent of corporations experienced the loss or theft of a data-bearing asset in the last 24 months, yet those same organizations report limited efforts to manage this vulnerability. The new Ponemon report, National Survey: The Insecurity of Off-Network Security, will be discussed in detail today [22 August 2007] by study author Dr. Larry Ponemon, founder and chairman, Ponemon Institute, and study sponsor, Robert Houghton, president, Redemtech, during the Privacy Symposium at Harvard University

Read the article

Romanian Scammers hit TradeMe Milestone

The criminal group responsible for numerous phishing scams on TradeMe hit a milestone on Saturday August 18th, 2007. Internet watchdog group ScamBusters reports that the number of hijacked TradeMe accounts used by a Romanian gang to place fraudulent listings on the site in the past eighteen months has now reached a total of one thousand.

“That's a lot of compromised accounts” says spokesman Alf West. “And they're only the ones that we've recorded. These criminals have many more accounts waiting in the wings, ready to use.”

ScamBuster Peter Andersen has been collating the hijacked accounts and auctions. “The thousand TradeMe user accounts identified as being hacked in the past eighteen months have been used to run 3,391 fraudulent auctions” he says, “all for non-existent items.”

Read the article

MiFID – Outsourcing continues to be an issue

A recent survey by City law firm Field Fisher Waterhouse has indicated that a significant percentage of outsourcing agreements signed by MiFID-impacted firms still fail to comply with the basic requirements of the directive. Whereas other regulations such as Basel II and Sarbox impact outsourcing by extrapolation of their rulings, MiFID is different in that is specifically refers to outsourcing and makes demands on outsourcing contracts, requires actions of supervisors and differentiates according to where the outsourcing service is located.

The overall impact will be to require substantial re-writing of existing outsourcing contracts and potentially brings the outsourcing vendors into the supervision of national regulators. This was recognised by the UK's Financial Services Authority who released specific guidance in May, see Chase Cooper News of 17th May .

Read the Chase Cooper article

Wi-Fi SideJacking opens eyes at BlackHat

During a recent presentation at BlackHat, Errata Security raised a few eyebrows by showing a pair of point-and-click "SideJacking" tools dubbed Ferret and Hamster . The approach taken by Hamster—web session cookie cloning—is not particularly new.

However, by exploiting live BlackHat user traffic to gain access to attendees' GMail accounts, presenter Robert Graham made the threat posed by SideJacking perfectly clear:

The next time you use an open Wi-Fi hotspot to access a vulnerable website, you may not be alone.

SideJacking is the process of sniffing web cookies, then replaying them to clone another user's web session. Using a cloned web session, the jacker can exploit the victim's previously-established site access to change passwords, post mail messages, download files, or take any other action offered by that website.

Unlike some better-known HTTP attacks, SideJacking isn't about stealing logins or disruptively taking over the victim's session. It's about transparently sharing authorized site access with a legitimate user, after that user has already logged in.

Read the WiFi Planet article

Website rules for AIM companies

All companies listed on the AIM market have until 20 August 2007 to comply with regulations requiring detailed information to be included on their website. AIM is the London Stock Exchange's market for smaller growing companies.

According to a recent survey carried out by Investis, only six of the top 100 AIM companies' websites currently achieve full compliance with these regulations. The Investis research reveals that less than one-third of the companies surveyed achieved a compliance score of over 50%, with one company not even having a website. More information on the survey can be found at the Investis website.

The specific regulation is Rule 26 of the London Stock Exchange AIM Rules for Companies, issued in February 2007. A copy of these rules is available via the London Stock Exchange website.

Read the article

MiFiD: 50% say regulators slipping on guidance

With less than 100 days before the 1 November deadline many financial services firms are unhappy with the support they are receiving from their national regulators as they prepare for the Markets in Financial Instruments Directive, found a survey by SunGard and TradeTech. Half the 300 respondents stated that their national regulators were either “bad” (32%) or “very bad” (19%) in helping them to get ready for the directive.

In the UK, respondents were divided on whether the Financial Services Authority's minimal guidance, principles-based approach to MiFID was a good one – only 54% believed that this is “the best approach to prevent regulatory overload”, with the remaining respondents stating that this approach “makes it difficult to understand exactly what requirements the FSA desires, adding to the compliance task”.

The survey showed an overall increase in MiFID readiness – 53% of respondents now believe their preparations for the directive are “ahead” or “right-on-track”, compared with just 34% in September 2006. However, opinions are still divided on whether MiFID will have a positive impact. The majority (54%) of institutions surveyed state that they see MiFID as just “another piece of compliance”. In addition, only 42% of respondents believe that MiFID will be good for Europe's economy in the next 5 – 10 years, with over a third still undecided.

Read the Banking Technology article

The Coalition Against Domain Name Abuse to Combat Cybersquatting

The Coalition Against Domain Name Abuse (CADNA) is announcing the launch of its national campaign against Internet fraud. A non-profit organization based in Washington D.C., CADNA is leading the way in confronting cybersquatting – the fraudulent abuse of domain name registration that threatens the future viability of Internet commerce.

Although the Anti-Cybersquatting Consumer Protection Act (ACPA) was introduced in 1999, cybersquatting remains an underestimated threat. The number of .com domain names alone has doubled since 2003, and the number of cybersquatting disputes being filed with the World Intellectual Property Organization (WIPO) is on the rise – up 25% in 2006 from 2005. According to a recent independent report, cybersquatting increased by 248% in the past year.

With growing ease and profitability, sophisticated cybersquatters are exploiting a flaw in the domain name registration process whereby domain names are registered and subsequently dropped, risk free, within an accepted 5-day grace period. By abusing this grace period, cybersquatters “taste” and “kite” domain names in order to test their profitability. According to a recent industry report, there are over 1 million kited sites re-registered daily, collectively bringing in $100-125 million in annual revenue for criminals and profiteers. On the whole, cybersquatting is costing brand owners worldwide well over $1 billion every year as a result of diverted sales, the loss of hard-earned trust and goodwill, and the increasing enforcement expense of protecting consumers from Internet-based fraud.

Cybersquatters' increasing assault on intellectual property hurts everyone involved, including consumers and the Internet community at large. By registering domain names derived from famous brands, cybersquatters are able to successfully lure consumers into purchasing counterfeit products (including potentially harmful counterfeit prescription drugs), giving away their personal information (which could lead to further financial loss) and unwittingly exposing themselves to spyware deposits. According to the International AntiCounterfeiting Coalition (IACC), $600 billion was spent online for counterfeits in 2006. Phishing, a fraud enabled by cybersquatting, is also growing at an alarming rate. The Internet Crime Complaint Center, a partnership of the National White Collar Crime Center and the Federal Bureau of Investigation, found that consumers in the U.S. reported personal losses of $198.44 million to phishing in 2006.

read the article

Newcastle City Council accidentally releases credit card details to accessible system

Newcastle City Council has said it accidentally put 54,000 credit- and debit-card details on a computer system that could be accessed externally.

The council has today admitted it inappropriately released up to 54,000 credit- and debit-card details covering transactions between February 2006 and April 2007, covering payments to the council including council tax, business rates, parking fines, and rent payments.

read more in Computer Weekly

Monster Worldwide Hardens Its Web Security with Cyveillance

Cyveillance , a global leader in cyber intelligence, today announced that Monster ® , the leading global online career and recruitment resource and flagship brand of Monster Worldwide, Inc. (NASDAQ:MNST), has selected Cyveillance to help further protect its customers from potential online fraud. Under the agreement, Cyveillance will also provide Monster with brand identity protection in addition to user privacy and anti-phishing services.

“Enhancing Monster' s defenses against phishing and other online fraud is a top priority,” said Patrick W. Manzo, vice president, Compliance and Fraud Prevention, Monster North America. "Cyveillance ' s proactive cyber intelligence will help Monster provide our customers with an even safer environment to conduct their online career development and recruiting activities."

Read the article

Reg NMS and MiFid...Together Forever?

Is there a possibility that MiFid and Reg NMS could one day be accepted by regulators on both sides of the Atlantic as being equivalent?

While financial services firms in the U.S. have been gearing up this year for the full implementation of Reg NMS, companies in Europe have been preparing for MiFid. (Well, actually only 8 of the 27 EU member states have so far implemented the legislation into their domestic law.)

Now, the head of the Centre for European Policy Studies (CEPS) is urging the European Commission to look into the similarities and differences between MiFid and Reg NMS.

Karel Lannoo, chief executive of CEPS, says both pieces of legislation came into effect at around the same time, and both are aimed at "updating regulation to reflect technological changes and market developments."

Read the Wall Street Technology article

More investment managers using web for reports

Investment managers are increasingly delivering client reports online, according to research by Rhyme Systems, an asset management services company.

A survey of managers at a Rhyme Systems workshop shows there is a growing trend towards web delivery and a need for greater reporting flexibility to accommodate changing client needs.

The research also suggests all client reports might need to be bespoke but raises questions about how to charge the cost to the customer.  However, most firms surveyed do not measure the cost of producing individual client reports.

There is also a trend towards integrating client reports across a business rather than using a separate service.

Read the IFA Onoine article

Italy Arrests 26 for Phishing

Italian authorities are bringing charges in a scam involving fraudulent e-mail to bank customers.

Italy has become the latest country to clamp down on phishing, with authorities there arresting 26 people for an alleged scam to swindle bank customers.

According to a statement by one of those arrested, the scam involved sending fraudulent e-mails that appeared to come from Poste Italiane, the country's postal operator, which also offers bank accounts, insurance and loans, according to a news release (in Italian) from the Guardia di Finanza, which handles financial crimes.

The e-mails urged victims to hand over sensitive financial information, which was then used to draw money from their accounts, the finance authority said. Eighteen of those arrested are Italian citizens, with the remainder from Eastern European countries.

Read the PC World article

SSL certificates gone wild

By using so-called "Wildcard" certs, you can save a few headaches and a pile of money. Experts discuss the implications for virtualization as well as the potential risks

"Where Wildcard certs have value is for anyone who is hosting multiple servers or server instances on one platform," said Quin. "Why this is becoming valuable at this point in time is because of the growing popularity of virtualization – as I virtualize I put more instances on one physical device and therefore I can now validate the trust of all of those instances with a single certificate."

But SSL is not about providing security; rather, it's about validating trust. While it creates a secure channel of communications between the user and end-point server, it has nothing to do with security on the server itself.

Read the Canadian Technology News article

CEOs urged to raise their game following unacceptable privacy breaches

The Information Commissioner is today calling on UK chief executives to take the security of employees’ and customers’ personal information more seriously. His call follows a number of unacceptable security breaches over the last year, involving leading names such as Orange and several high street banks.

Speaking at the launch of his annual report in London, Richard Thomas, the Information Commissioner, said: ‘Over the last year we have seen far too many careless and inexcusable breaches of people’s personal information. The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying.
‘How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags?’

The Information Commissioner added: ‘Business and public sector leaders must take their data protection obligations more seriously. The majority of organisations process personal information appropriately – but privacy must be given more priority in every UK boardroom. Organisations that fail to process personal information in line with the Principles of the Data Protection Act not only risk enforcement action by the ICO, they also risk losing the trust of their customers.’

Read the article

ICO launches new data protection strategy

The Information Commissioner’s Office (ICO) is launching a consultation on its new Data Protection Strategy which sets out how the ICO intends to go about its task of minimising data protection risk. The strategy, launched at the Privacy Laws & Business 20th annual conference in Cambridge on Monday 2 July, is concerned with maximising ICO’s long term effectiveness in bringing about good practice. It explains how the ICO will focus its data protection resources on situations where there is the greatest risk of harm through improper use of personal information.

Launching the strategy, David Smith, Deputy Commissioner,said: ‘Our vision is of a society where respect for personal information is guaranteed. A society where organisations inspire trust by meeting reasonable expectations of integrity, security and fairness in the collection and use of personal information. A society where individuals understand how their information is used and are aware of their rights and are confident in using them. Our strategy is all about turning this vision into a reality’

Read the article

ICO takes action against cold callers

The Information Commissioner’s Office has required two organisations to sign formal undertakings to stop making unsolicited marketing calls to individuals. This is a legal agreement that demands a firm commitment to the Privacy and Electronic Communications Regulations.

Satellite Direct UK Ltd and Satcover Ltd, both of Hove, East Sussex, were found in breach of the Privacy and Electronic Communications Regulations after making unsolicited marketing calls to individuals using an automated calling system. The organisations were also telephoning individuals for direct marketing purposes who had expressly told the companies they did not wish to be contacted or who have registered with the Telephone Preference Service.

Read the article

New Research Reveals Consumers Delay 34+ Hours Between the Click and the Purchase

A new ScanAlert research report, revealed exclusively to MarketingSherpa for publication this morning, shows that consumers now delay on average 34 hours and 19 minutes from the time they first click to an ecommerce site and when they finally buy something there.

So, any marketer who measures conversions solely by click-to-immediate-sale is blind to the vast majority of his or her success.

But, the bigger news broken in this report is stunning trend data. You see, back in 2005 when the study was conducted for the first time, consumers took an average of 19 hours to covert. Over the past two years, that delay time has risen by 80%. So, more consumer comfort in shopping online equals *longer* conversion cycles. That's something I don't think any of us ever predicted would happen.

read Marketing Sherpa's exclusive article

Security professionals back data disclosure

Security professionals back a European directive which requires companies to inform customers and regulators of data security breaches.

The European Commission is expected to pass such a directive this year, although it may take years for the UK to adopt it into law.

This means consumers here will have less protection than consumers in a growing number of US states already, when it comes to data breach disclosure.

A survey by database security firm Secerno shows that 77% of IT security professionals back a UK data breach disclosure law. A recent Ipsos MORI poll found that 82% of UK consumers expect to be notified immediately if there has been a security breach.

Read the Computer Weekly article

Authentication - A Market Update

Summary

  • Breakdown of network security perimeter. Growth in number of devices wanting to access company networks. Increasing number of remote users and laptops. Users want to access more and more different applications.
  • Traditional passwords unsuited to this situation. UK lagging behind in developing suitable access management for current situation.
  • Description of types of authentication
    • weak single factor
    • strong authentication
    • two factor authentication
    • three factor authentication
    • biometrics
    • single sign on
  • Remote, mobile and wireless security. How to deal with this particular risk. Strong 2-factor authentication. SSL VPNs. Limitations of wireless standards. MAC filtering

Read the article by Ian Kilpatrick of Wick Hill

Thales launches end-to-end security consultancy service for compliance with UK's Faster Payments Scheme

Financial institutions involved in ‘second wave' of compliance will require specialist security consultancy and products to mitigate increased security risks

Thales has announced the launch of an end-to-end security solution for Faster Payments aimed at mid-tier banks and corporate treasury departments. Many of these organisations will be considering how to meet the Faster Payments regulation after the 13 member banks go live in the ‘first wave' of compliance in November.

Thales' end-to-end security service, covering physical, technical, human and organisational security, will be essential if financial institutions and treasury departments are to mitigate the increased security risks associated with the Faster Payments scheme.

The Faster Payments process will initially enable funds of up to £10,000 for internet and phone banking to be transferred in a matter of seconds and for funds of up to £100,000 to be transferred before 06.00 am on the due day of standing orders.  While the benefits for consumers are obvious, it will also allow fraudsters to move funds from account to account and convert these funds into cash or goods within a couple of hours. As a result, the security risk profile of transactions using the Faster Payments platform is significantly altered, making it a potentially higher value target. It is therefore likely that the Faster Payments environment will face increased scrutiny by organised crime, with future attacks exploiting a blend of external and internal vulnerabilities.

Read the article

Tentative EU-US Deal on SWIFT Data

European Union governments have reached a tentative deal with the United States clarifying how it will use data it receives from Belgian-based bank transfer consortium SWIFT in anti-terror investigations, diplomats said Wednesday.

The deal is aimed at ending a trans-Atlantic battle on privacy rights in the hunt for terrorists, and would close a legal black hole over the status of a data transfer deal SWIFT signed with U.S. authorities after the Sept. 11, 2001, attacks.

The new draft agreement would bind the U.S. to use SWIFT data strictly in anti-terror investigations, the diplomats said on condition of anonymity due to the sensitivity of the talks.

Other uses of the data would have to meet conditions set by European data protection officials, they said.

The deal was being finalized as part of an exchange of letters between Washington and EU government envoys in Brussels. The draft was approved Wednesday by EU nations, and was expected to receive final approval Thursday.

Read the full Houston Chronicle article

 

 


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.

Transatlantic Events, Dublin 2009