to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID

You Tell Us:

We use SSL Technology for web data entry points:

What is SSL?

Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

News - a Roundup of all the news items between end November 2006 and end December 2006, Newest First

Current News Updates compliance and privacy

An archive of all the news items between end November and end December 2006 on Compliance and Privacy

To avoid long load times news is archived periodically. If you can't find what you are looking for on this page please refer to our archives. Please use the search engine for ease of retrieval.

Main News page | Archives: (oldest) 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 (most recent)

Opera Software Teams Up To Provide Anti-Fraud Protection

Opera Software announced the latest release of its popular Web browser, Opera 9.1, which includes a new Fraud Protection feature. The protection includes technology from GeoTrust and PhishTank. GeoTrust, which was acquired by Verisign in September 2006, is the world's second largest digital certificate provider and also the maker of the TrustWatch toolbar and search extension that helps alert users to potentially malicious Web sites. PhishTank is a collaborative effort that acts as clearing house for information about phishing sites.

Read the article on Windows IT Pro

'Safe' Web seal hard to earn

Beginning now, version 7 of Microsoft Corp.'s Internet Explorer browser will start flagging certain e-commerce and banking sites as green for ''safe.'' The browser will look for an extended-validation certificate issued by any number of vendors.

To qualify, vendors such as VeriSign Inc. and Comodo will be required to make extensive checks before approving such certificates. They also will have to undergo independent auditing through WebTrust, a service run by trade groups for certified public accountants.
Under the latest, 65-page draft guidelines, verification requirements include:

  • Legal existence and identity
  • Physical existence
  • Telephone number
  • Domain name
  • Individual's authorization

Read the article in the Gwinnett Daily Post

"Happy New Year!" worm on the move

Verisign is warning of a new e-mail worm arriving in inboxes with the subject "Happy New Year!"

The message, currently being spread from 160 e-mail domains, requires users to click on the attached "postcard.exe" file in order to cause damage. The file will install several different malicious code variants including Tibs, Nwar, Banwarum and Glowa on the computer. It then executes mass mailings from the infected computer.

Read the article in Linux World

Hacking for Dollars

Viruses and worms are so last-decade. Today's PC users have to worry more about online burglary than stolen bandwidth.

Although the dot-com boom has come and gone, and we're well into Web 2.0, online criminals are just starting to cash in. Not long ago, malicious coders experimented with propagating code across the Internet via worms and viruses. Although mass digital epidemics became common, viruses and worms were rare.

That's all changed. Malicious code has become a key element of the growth of online crime. It's no longer good enough for a fraudster to compromise a PC, unless that computer can be turned into cash.

For criminals, a wide selection of software that helps separate unwitting folks from their money is available on the gray market (and not all of it is illegal). For upstanding citizens, this means that the threat keeps changing while the defenses have lagged behind. A simple name for malicious code no longer exists. Crimeware, the blanket term for code aimed at garnering cash, can take on many faces. For example, the characteristic that defined viruses and worms - the ability to self-propagate efficiently - is usually not desirable for criminals because of the high risk of exposure and the massive overhead of dealing with all the files on victims' machines.

Other characteristics are more useful for criminal exploits. Bots focus on efficient remote control of a large network of compromised systems; Trojan-horse programs attempt to fool the victim into running the code by appearing to be some other application; and phishing attacks use e-mail to fool the user into running code or visiting a malicious Web site.

Read the article on PC Magazine

Are DOD Attacks The Tip Of The Info-War Iceberg?

Is it possible to fight a war by email? Probably not, but it just might be possible to start one that way.

If that seems like an outlandish possibility, I suggest taking a closer look at what might be one of the most under-reported stories of the year: a massive, highly sophisticated, ongoing effort to compromise U.S. Department of Defense computer systems. Last summer, you might recall news reports of organized attacks that, in some cases, compromised non-classified U.S. State Department systems, both at home and overseas. It appears that most of the attacks on U.S. military systems are taking a somewhat different, but no less troubling, avenue of attack.

The Defense Department is battling “a significant and widespread effort” to penetrate DOD information systems with sophisticated, targeted, socially engineered e-mail messages in a technique known as spear phishing, according to internal documents.

The Joint Task Force-Global Network Operations (JTF-GNO) warned DOD users last month in an internal presentation that everyone within DOD is a spear phishing target. Attempts have been made against all ranks in all services in all geographic locations. DOD civilians and military contractors have also been hit by spear phishing attacks, the JTF-GNO presentation states.

The Defense Security Service (DSS), which supports contractor access to DOD networks, said in a bulletin sent to contractors in October that JTF-GNO “has observed tens of thousands of malicious e-mails targeting soldiers, sailors, airmen and Marines; U.S. government civilian workers; and DOD contractors, with the potential compromise of a significant number of computers across the DOD.”

Read the full article on TechWeb

Online banking overtakes telephone

More people are now using online banking than telephone banking, new APACS figures reveal.

In 2006 some 48 per cent of internet users had an online bank account, according to data released today by UK payment association Apacs.

Overall, some 16.9 million adults now have online bank accounts, with two in three of these going online at least once a week.

This compares with 15.4 million people using telephone banking, making 2006 the first year online banking has overtaken telephone banking in the UK.

In the last year the number of people using telephone banking has fallen 600,000 while in the last four years the number of Britons with online bank accounts has risen from 7.5 million to 16.9 million.

"Our research shows that increasingly, if you are under 35, you are more than likely to be turning to the internet rather than the phone to manage your finances," said Sandra Quinn, director of communications at Apacs.

Read the article on

Extend compliance and security efforts to the database level

When conducting business, either online or face-to-face, individuals trust that every reasonable step will be taken to ensure the privacy of their data. Corporations have a responsibility to protect that trust by extending robust protections and security best practices throughout their IT infrastructure. But with nearly 100 million personal records - including credit/debit card numbers and social security numbers - compromised through theft or mishandling in the past two years, it would seem perhaps that trust is misplaced.

Or is it? It's a complicated question. Over time, organizations have responded to threats against consumer privacy with substantial increases in IT perimeter security. Without a doubt, security systems have become more sophisticated. But hackers have too. And the nature of the threat has changed.

Read the article in SC Magazine

Detica to build new market abuse intelligence system for the Financial Services Authority

Detica Group plc, the business and technology consulting firm, today(15 December 2006) announces that it has signed a letter of intent with the Financial Services Authority to deliver a new intelligence solution designed to assist the FSA in the exercise of its supervisory and regulatory powers under the new Markets in Financial Instruments Directive (MiFID). The new system will analyse trading in a diverse range of financial instruments and provide the FSA with intelligence on unusual and potentially unlawful activity such as market abuse and insider trading.

Read the article

HSBC to Implement Fraud Detection Service from VeriSign to Enhance Customer Protection

HSBC USA Inc., the U.S. banking unit of one of the world's largest financial services companies, and VeriSign today (18 December 2006) announced an agreement for HSBC USA to deploy the VeriSign® Identity Protection (VIP) Fraud Detection Service (FDS) to enhance the protection it provides to customers to prevent identity theft and fraud.

“The VeriSign Fraud Detection Service provides additional online authentication and fraud monitoring, which will enhance the measures the bank already employs to safeguard customer information and assets when banking over the Internet” said Martin Hayes, senior vice president and head of e-business, HSBC USA. “Protecting customers' accounts and identities is of paramount importance.”

VIP FDS includes a state-of-the art risk engine that offers layered, risk-based authentication and fraud prevention capabilities. VIP FDS runs behind the scenes, utilizing advanced anomaly detection technology which flags potentially fraudulent activity while continuing to ensure a favorable user experience and timely delivery of services.

Read the article

VeriSign to Expand Content-Delivery Services

VeriSign will expand its content-distribution offerings with the launch of VeriSign Intelligent CDN, going after the likes of Akamai Technologies and Limelight Networks.

The service, to be generally available in January, will combine the peer-to-peer file-distribution features of Kontiki - which VeriSign acquired this year - with conventional Web-based file downloads and streaming media.

The new service offering will be able to support "millions of users," said Todd Johnson, vice president of broadband services for VeriSign, previously CEO of Kontiki. He wouldn't provide details of how much bandwidth VeriSign is capable of serving, although he said the company operates more than 20 data centers around the world.

See the full article in Broadcast Newsroom

Russian bank chief jailed for identity theft racket

A disgraced Russian bank chief, who helped run one of the most successful gangs of identity thieves, was jailed for six years today (13 December 2006).

The sophisticated international operation saw tens of thousands of British, American and Spanish account holders defrauded out of millions of pounds.

Police believe the internet-based enterprise, founded on strict business lines and boasting exhaustive records, lasted a decade.

The many "compromised" credit cards involved were used to buy large numbers of electrical goods - later sold on eBay here and abroad - as well as gambling extensively on sporting fixtures and to set up bogus merchant accounts.

Read the article in the London Evening Standard

The Business Case to Justify Security Investments

Firms have been taking multiple steps post-9/11—either voluntarily or to meet mandated government regulations—to ensure safe transit of their goods across international borders. In parallel, natural disasters as well as such other unforeseen events as product adulteration, border closings and strikes by ports have made firms more aware of the vulnerability of their supply chains.

International trade is no longer just about moving goods quickly and cheaply. There is a third element: securely.

A private-sector analysis conducted by the International Monetary Fund (IMF) estimates the increase to business costs due to higher security costs at $1.6 billion per year, the extra financing burden of carrying 10 percent higher inventories at $7.5 billion per year. Another study estimates an increase in commercial insurance premiums of 20 percent at about $30 billion per year. New security measures following 9/11 are estimated to cost the U.S. economy alone more than $150 billion, of which $65 billion is for changes in supply chains.

Read the full article in World Trade Magazine

Spyware infections hitting productivity

In a survey of 100 firms by Webroot, 45% reported an increased load on their IT helpdesk and 32% said employee productivity had been impacted as a direct result of spyware infections.

Nearly a fifth of UK firms claim to have lost sensitive information through spyware infections on their network PCs, and 22% said that spyware had threatened sensitive business activities.

Read the article in Computer Weekly

The smart ID card: eventually everyone will need one - Gemalto

Every individual on every network will increasingly use microprocessor-based personal security devices to identify themselves and access services. Here's the how and why of this digital security phenomenon.

Today, 2.8 billion microprocessor-based smart cards already securely identify individuals and provide them with access to services on networks. This addresses the way individuals conduct their daily life, wanting and expecting more freedom to communicate, travel or buy anytime and anywhere in a secured way. In a world of 4.5 billion people aged 14 years or older, approximately half use a smart card for some type of network identity. Some even have two or more smart cards.

We are thinking beyond the card itself to how we are connected to the bigger world of digital security for information technology. At Gemalto, we are thinking and talking about our industry in a different way.

Read the article in SecureID News

Ponemon Report Shows Sharp Rise in the Cost of Data Breaches

At Infosecurity NY 2006, PGP Corporation, Vontu, and The Ponemon Institute, a privacy and information management research firm, released the 2006 Annual Study: Cost of a Data Breach. This benchmark analysis details the financial impact of data loss incidents on affected companies. Initiated in 2005, the study examines all financial consequences of data breaches involving consumers' personally identifiable information. According to the Privacy Rights Clearinghouse, more than 330 data loss incidents involving more than 93 million individual records have occurred since February 2005.

According to the study's 2006 findings, data breaches cost companies an average of $182 per compromised record, a 31 percent increase over 2005. The Ponemon Institute analyzed 31 different incidents for the study. Total costs for each ranged from less than $1 million to more than $22 million.

The 2006 Cost of a Data Breach Study tracks a wide range of cost factors, including legal, investigative, and administrative expenses, as well as stock performance, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.

Read the article

SEC and PCAOB Still Working on Sarbanes-Oxley Changes

Christopher Cox, the Securities and Exchange Commission (SEC) Chairman, said recently that regulators were still working on revisions to its rule requiring companies to adopt internal controls and procedures for financial reporting but said he was “confident” that the result would “improve the reliability of public company financial statements and better protect investors,” the Washington Post reports. The SEC will issue its proposed revision on December 13. Mark Olson, Chairman of the Public Company Accounting Oversight Board (PCAOB), said last week that his agency would issue its own changes to the implementation standard some time before Christmas.

Trade groups and members of Congress have been pushing for changes in the standard because implementation has proved so costly for many companies. The U.S. Chamber of Commerce, community bankers and organizations representing small-cap and mini-cap businesses that have not yet implemented the standard – “think biotech” says -- have been leading the effort.

These groups want the regulators to make the external audits more risk-based, and scale back the requirement for small companies. More precise definitions of what is “material” to the company's financials and which controls are “significant” would help to focus the audits and reduce the costs.

Read the full article on Accountingweb

Apacs and Visa grilled over online crime

The House of Lords Science and Technology Committee has questioned representatives of Apacs and Visa over online computer crime in the financial services industry.

The witnesses were pressed on what mechanisms the financial industry had put in place to protect people using online banking and other online financial services

Sandra Quinn, a spokeswoman for Apacs, was asked – with online banking fraud increasing by 90% to £23.2m in 2005 – how much banks are now losing to internet fraud and whether they expected the growth in fraud to continue.

Quinn replied, “We have half year figures for 2006 and the figure stood at £22.5m, an increase of 55% on 2005. The rise won't be as high in percentage terms as the rise in 2005. But it is certainly not going to be a non-dramatic rise. It is still of concern.”

Apacs' evidence suggested that the number of phishing incidents rose by 8,000% between January 2005 and September 2006.

Read the full article in Computer Weekly

UK Financial Services Companies Vulnerable to Data Theft Reveals Survey

LogLogic survey finds 76 per cent of UK's biggest financial services companies unable to track and trace potential theft

While 86 per cent of large UK financial services companies report that their enterprise data is mission critical, 76 per cent reveal that that they do not currently have systems in place to track and trace potential data theft according to a survey commissioned by LogLogic, the log management and intelligence company. Of those companies who report having systems in place to monitor IT data, 57 per cent say it takes them several days to identify security breaches involving data theft and just 19 per cent report they are able to perform the appropriate forensics within one working day.

"Despite the potential liabilities and risk to their companies, it is startling that IT directors in the UK are largely unable to perform simple forensics to determine data theft," said Ross Brewer, Managing Director of European Operations for LogLogic. "Equally disturbing is that relatively few companies even have the ability to properly monitor employee movements and the data linked to those employees, while acknowledging the awareness of the risks of reputational damage, theft of intellectual property and potential fraud."

The survey, which was carried out by Vanson Bourne, polled senior IT directors in 25 of the largest (over 1,000 employees) UK financial services companies.

Read the article

Liverpool City Council prosecuted for data protection offences

In the first prosecution brought by the Information Commissioner for failure to comply with an information notice, Liverpool City Council has today pleaded guilty to the offence and agreed to the Information Commissioner’s Office auditing the authority’s data protection procedures. The council was fined £300 and no application for costs was made. In his summing up, the District Judge at Liverpool Magistrates’ Court said the council had shown an ‘appalling breakdown of communication’ and ‘a clear lack of compliance’ with the Data Protection Act 1998.

Using the Data Protection Act a former employee of Liverpool City Council made a ‘subject access request’ for personal information held on her by the authority. Following the request, Liverpool City Council provided some information to the woman. However she felt that some sensitive information relating to her health was missing from the material provided. As a result of this she made a complaint to the Information Commissioner’s Office (ICO).

Read the article

What is Rock Phish? And why is it important to know?

It's been in the news recently with a substantial article by Robert McMillan of the IDG News Service. After we read his article in InfoWorld, we asked Ken Dunham, Director of VeriSign's Rapid Response Team, and this is what he told us

Rock Phish is an individual or group of actors likely working out of Romania and nearby countries in the region.  This group has been in operation since 2004 and is responsible for innovation in both spam and phishing attacks to date, such as pioneering image-spam.  The group is named after URL characteristics, where strings such as "rock" or "r" may appear in a phishing URL.  Multiple characteristics are utilized in associating phishing attacks with the Rock Phish Group.

See the article for everything Ken Dunham had to say on Rock Phish

VeriSign Combats Online Fraud with New Digital Brand & Fraud Protection Services

Services Help Companies Protect Revenue and Preserve Consumer Confidence by Proactively Responding to Phishing, Trademark Infringement and Counterfeiting Activities

VeriSign today (12 December, 2006) launched a suite of new Digital Brand and Fraud Protection services .  The services help organizations detect, prioritize and rapidly respond to suspicious activities on Web sites, blogs, online user communities, and other sources that can damage brand equity and consumer confidence.

“Brand equity and reputation, which can be valued at billions of dollars for well known companies, can easily be compromised by online fraud, negative opinions, trademark infringement and improper logo usage,” said Mike Denning, vice president and general manager, VeriSign Digital Brand Management Services.  “For the first time, companies can protect revenue and their brands by rapidly responding to incidents in near real time.  Our new Brand and Fraud Protection Services provide marketing, legal and IT professionals with actionable brand protection and management solutions to detect and counter any unauthorized or improper online activity that could damage their brand image and lead to lost revenues.”

“Firms have to ensure that their brand integrity remains consistent both online and offline,” writes Mike Rasmussen, vice president, Forrester Research.  “Malicious attacks or internal negligence can lead to compromised customer privacy, inconsistent company communications, or inaccurately published information that ultimately harms the firm's overall brand and online presence.”

With the proliferation of online fraud such as phishing and typo squatting, protecting brands online has become increasingly more important for enterprise companies.  According to the Anti-Phishing Working Group (APWG), the number of distinct spoof Web sites rose 52 percent in October 2006 to a record-shattering of 37,444, up from 24,565 a month earlier.

Read the article

McAfee, Inc. Reports on New Generation of Cybercriminals

Teens as Young as 14 Lured into Life of Virtual Criminology

McAfee, Inc. today (12 December 2006) announced the findings of new research that reveals how organized crime is grooming a new generation of cybercriminals using tactics reminiscent of those employed by the KGB during the cold war. McAfee Virtual Criminology Report 2006 marks the second annual McAfee report into organized crime and the Internet. The study, which used input from Europe's leading high-tech crime units and the FBI, suggests that crime gangs are targeting top students from leading academic institutions in order to provide them with the skills they need to commit high-tech crime on a mass scale.

The study reveals how Internet savvy teens as young as 14 are being attracted into cybercrime by the celebrity status of high-tech criminals and the promise of monetary gain without the risks associated with traditional crime. The report also shows how cybercriminals are moving away from bedrooms and into public places such as Internet cafes and wi-fi enabled coffee shops.

Other key findings from the McAfee Virtual Criminology Report 2006 include:

  • The Cult of Cybercrime: Cybercrime has established a cult following with online offenders rising almost to celebrity status within hacking communities. Specialist forums to highlight potential security issues have also served to showcase 'black hat' tricks and criminal opportunity
  • The Malware Milkround: Organized crime is now employing KGB-style tactics to ensnare the next generation of hackers and malware authors. Cybercriminals are actively approaching students and graduates of IT technology fields to recruit a fresh wealth of cyber-skill to their ranks
  • Inside Jobs: Taking advantage of inadequate company security procedures, current and former employees, contractors and suppliers are instigating the vast majority of hacking attacks. Cybercriminals are sponsoring graduates with a view to gaining the lucrative insiders' view of enterprises

Read the article

FCC Appoints VeriSign to Commercial Mobile Service Alert Advisory Committee

VeriSign, Inc. announced today (12 December 2006) that the Federal Communications Commission (FCC) has appointed the company to serve on its Commercial Mobile Service Alert Advisory Committee.  Anthony M. Rutkowski, Vice President for Regulatory Affairs and Standards, will represent VeriSign on the Committee.

The FCC was directed by Congress to form the Committee as part of the recently-passed Warning, Alert and Response Network (WARN) Act (Title VI of Public Law 109-347).  The committee will establish a national emergency alert system to warn the public in case of a terrorist attack, natural disaster or other crisis.  Over the next year, the Committee will develop and recommend technical standards and protocols to enable mobile service providers to transmit alerts to subscribers' mobile phones.

Read the Article

10 things you should know about privacy protection and IT

A little US Centric with the legal references, but the rest of this article has fundamental truths for the organisation trading in today's climate:

  1. Reporting compromised data: It's the law
  2. Customer loyalty is directly dependent on privacy
  3. IT pros bear most of the burden for privacy
  4. A data classification policy is essential
  5. Identifying critical systems helps risk analysis
  6. Organisations carry the burden of proof
  7. Chief Privacy Oficers oversee privacy issues
  8. Privacy incident management can prevent future risks
  9. Boundaries are blurring
  10. White collar crime threatens privacy

Read the article on ZDNet

United States: HP Settles Pretexting Case And Agrees To Broad Corporate Governance Changes

Last week, Hewlett-Packard announced it will settle a lawsuit arising out of the alleged pretexting practices used in an internal investigation into leaks of confidential HP information. The $14.5 million settlement with the California Attorney General includes $650,000 for civil penalties, $350,000 for investigation and prosecution costs incurred by the AG's office, and a $13.5 million "Privacy and Piracy Fund" for California state and local governments to conduct investigations into and prosecute privacy and intellectual property violations.

Without any admission or finding of liability, HP also agreed to a court-ordered injunction with a specific ethics and compliance oversight scheme that enumerates various corporate governance and training provisions. The injunction goes so far as to mandate direct line reporting of violations to the California AG's office if a designated ethics and compliance Independent Director concludes that HP is violating California law or the agreed-to injunction in conducting investigations. This agreement between HP and the California AG's office is instructive for all companies struggling with striking the appropriate balance between legal and ethics compliance and the need to conduct internal investigations. [See Goodwin Procter's October 25, 2006 Client Alert "Pretexting: Another Landmine in the Field of Internal Investigations." ]

Read the full article on Mondaq [registration required (free)] and then note that it looks like they had a spur to settle:

Congress passes anti-pretexting law, violators will face prison

After months of inaction, Congress has passed an anti-pretexting bill, which now goes to the president for his signature.

The bill outlaws the acquisition of phone records by making false statements to phone company employees, or by using fraudulent documents, or through unauthorized Internet access.

Violators face up to 10 years in prison, and there are additional penalties if there are more than 50 victims or damages greater than $100,000.

There was previously no federal law against pretexting, although several states have laws. The House had passed the law in April but the Senate remained deadlocked until late Friday.

[The second snippet is copyright of and came from the ITC Institute newsfeed on our "Breaking News" page]

Talkback about this item

Compliance and Privacy Newletter - 13 December 2006

In this issue:

  • Data Breaches are a Growing ID Theft Concern
  • Jeff Pettorino's Security Convergence Blog
  • Information Security Driving Business Process Improvements
  • Mike Spinney's Private Communications Blog
  • Websense Alerts
  • Microsoft puts security as top priority for IE7 and Vista
  • Survey Reveals Acute UK e-Phobia in Run-up to Christmas Spending Spree
  • NHS National Programme for IT - Major Security Concerns
  • MiFID to cost £1bn! - FSA
  • Public Alerts - from
  • Webcast Replay Library
  • VeriSign Hits top 10 in CIO Insight's Vendor Value Study
  • VeriSign Issues First Ever Extended Validation SSL Certificate
  • Macedonia, Blacklists, and the Security Solution
  • Major Industry Presentations now available

Click Here for the Newsletter

VeriSign wins .com control until 2012

VeriSign and the US Department of Commerce (DoC) have agreed to allow a deal submitted by the Internet Corporation for Assigned Names and Numbers (Icann) that gives VeriSign control of the .com and .net domains until 2012. 

VeriSign, which has run the domains since 1999, has also won the right to increase charges for the domains by up to seven per cent annually for four of the next six years.

However the DoC's National Telecommunications and Information Administration (NTIA) has retained the right to overrule any price hikes in domain registration.

"As a condition of approval, the DoC negotiated an amendment to its existing Cooperative Agreement with VeriSign to address the competition and internet security and stability issues identified during the review process," said NTIA in a statement.

Read the article in What PC

Major Industry Presentations now available for download - Q4 2006

Our sponsors VeriSign have been busy participating in many events this quarter here is a summary of some of the highlights with links to a number of presentations delivered .

  • RSA Conference 2006, Nice, Acropolis , France 23-25 October 2006
  • Tackling Organised Crime in Partnership, Victoria Park Plaza , London , UK - 22nd - 23rd November 2006
  • Combating Online Banking fraud- 27th November 2006, IOD, London, UK

Download these and more

Macedonia, Blacklists, and the Security Solution

With just over 2m inhabitants and independent only since 1991, the Former Yugoslav Republic of Macedonia is one of Europe 's younger and smaller states.

But the country has ambition enough. The European Union granted it EU candidate status in December 2005. Business leaders in the country want to boost economic, and especially, export performance. Macedonia 's main industries include wine, cheese, textile production and tourism.

The Macedonian challenge is that it is a nation where education is strong, engineering and technology are valued and contribute to the economy strongly, and IT is essential. Being hamstrung by a bad reputation meant that Macedonian users were unable to indulge in eCommerce, could make no credit card payments online. They couldn't use eBay, PayPal, or any of the services we all take for granted.

Read the article, and Get the Financial Times article sent to you

VeriSign Issues First Ever Extended Validation SSL Certificate in Support of IE7 and Microsoft Vista Launch

New Groundbreaking EV Upgrader™ technology will enable all IE7 browsers on Microsoft Windows™ XP client systems to also display the green address bar

VeriSign today (11 December 2006) announced the general availability of its Extended Validation (EV) SSL Certificates, which help protect users against online fraudulent activity by providing third party verification of a Web site's authenticity. These new certificates support Microsoft's IE7 and Vista operating system and also incorporate VeriSign's unique EV Upgrader technology enabling all Windows XP clients using IE7 to display the same green address bar and other interface enhancements as Windows Vista clients.  VeriSign issued the first of these certificates to, one of the largest online retailers in North America.

Read the article

VeriSign Hits top 10 in CIO Insight's Vendor Value Study

We were both surprised and pleased to observe that the sponsors, VeriSign (whose sponsorship ended on 28 Fenruary 2007) appeared jointly in 10th place in the recent US survey 'CIO Insight 's annual Vendor Value study'  with Motorola and McAfee, a notch ahead key rivals EMC (RSA),Checkpoint and Symantec in the CIO Insight Vendor Value 2006 survey.

 To see a high number of IT security vendors making it into the list shows not only the seriousness with which security is being taken, bujt the quality of the security vendors who made the cut.

Read the article

Cybercriminals Target Small Biz

Instead of going after large companies, hackers are now targeting small businesses, whose systems are often more vulnerable than those of the big guys

Even though Craig Brown was hired to be financial controller at Menlo Park (Calif.)-based Summer Hill, a 45-employee home-furnishings company, his boss figured computer-savvy Brown could lend an occasional hand with information technology. However, since the company had set up little-to-no protection against viruses, spam, and other Internet nasties, IT soon took over the bulk of Brown's days.

And when the company's network started to slow to a crawl, Brown was constantly being pulled away from number-crunching to address the problem. It turned out that a trojan, or virus-like bug that can cause a host of different problems, had infiltrated the company's 12-computer network and was sending spam to other systems (see, 5/29/06, "Meet the Hackers" ).

Summer Hill is far from alone. Many small businesses are more vulnerable to cybercrime than they think, according to the 2005 Small Business Information Security Readiness Study of 1,000 small businesses with anywhere from 1 to 100 employees. The study was jointly sponsored by the Small Business Technology Institute, a nonprofit group based in San Jose created to foster adoption of information technology by small businesses, and software giant Symantec..

The report reveals that many small businesses fail to understand the damage that can be caused by information security incidents, aren't educated about cyberthreats, and fail to adequately invest in security. The Institute has a smaller study planned for 2007 but says the 2005 research is still indicative of the proportions and trends affecting small-business owners today.

Read the Business Week article

The security of Web 2.0 - an oxymoron

I recently found this presentation from Morgan Stanley about Web 2.0 and where and how the Internet is growing.  I haven't heard any accompanying audio with the presentation, so I don't know the finer points of the points being made, but just the slides themselves show some very interesting facts and open the mind to so many security implications.

For instance, take a look at slides 6 & 7.  Slide 6 talks about telephony and communication over the Internet, with Skype being the focus.  Look at the stats:

  • 136 Million registered users (Skype says 100 Million)
  • ~ 7% of international long distance minutes
  • Would be ranked #3 in number of global users if it was a carrier

Slide 7 talks about the growth of social networking sites like YouTube, MySpace, etc.  If I am reading it correctly, slide 8 says YouTube traffic has grown 2,662%.

Visit Michael Farnum's Blog at Compliance and Privacy and see for yourself

Criminals 'target tech students'

The boom in cyber crime is forcing criminals to go to great lengths to recruit skilled hackers, says a report.

Some criminal gangs are paying students while they study to ensure they have a pool of tech-savvy workers to call on, says the report from McAfee.

Others are cashing in on the glamour of the hi-tech world to tempt youngsters into embarking on a life of crime.

McAfee said children as young as 14 years old were being targeted by some criminal gangs.

Read the BBC News article

No patch for Microsoft Word in next round

Five sets of patches for Windows, and a single critical security update for Visual Studio readied, no fix is in the works for latest flaw

Microsoft Corp. plans to patch its Windows and Visual Studio products next week, but it does not have a fix in the works for a  widely publicized flaw in Word , which hackers are reportedly exploiting in targeted attacks.

The company's security team is readying five sets of patches for Windows, and will also issue a single critical security update for Visual Studio, Microsoft said in an alert published Thursday.

Microsoft rates the most serious of its Windows updates as "critical," meaning an attacker could exploit the underlying flaw to run malware on a victim's PC with no user action, the company said.

These security patches are usually released on the second Tuesday of each month, and the company strives to publish a small number of updates in December, because IT operations are often short-staffed during the holiday season.

Read the article in InfoWorld

The Phone Phisher Cometh

Prompted by an article in The Hindu Businessline, Peter Andrews, editor of Compliance and Privacy recalls his own brush with attempted phone phishing and ID Fraud.

The call in that article is not so different from the one Andrews received a month or two before the UK Chip and PIN cutover date. He banks at First Direct, a bank set up to handle the phone first and foremost, and he was unaware that he was about to receive a new credit card, so he was not surprised that it did not arrive. And the First Direct phone system is pretty secure, with variable questions asked.

Read the Article

Security fears scare off US customers from online banking, shopping

Nearly $2 billion in US e-commerce sales will be lost in 2006 due to consumer concerns over the security of the Internet, according to a survey by Gartner, which also found that fear of fraud and identity theft have prevented around 33 million US adults from banking online.

The survey of 5000 online US adults in August 2006 found that recent security breaches - both online and offline - are having a significant impact on buying patterns and use of Web banking facilities.

Nearly half of those surveyed (46%) said concerns about theft of information, data breaches or Internet-based attacks have affected their purchasing payment, online transaction or e-mail behaviour. Of all the behaviors affected, online commerce - which includes Internet banking, online payments and Web shopping - is suffering the most.

Almost nine million US adults have stopped using online banking, while another estimated 23.7 million won't even start because of fears over security.

Gartner estimates that approximately $913 million in e-commerce sales was lost in 2006 because of security concerns among online shoppers. The analyst group says another $1 billion was lost from consumers who refuse to shop online because of security worries.

Read the article on

MPs will hold inquiry into £12bn NHS IT plan

The House of Commons' Health Committee has agreed to hold an inquiry into key facets of the £12.4bn NHS National Programme for IT (NPfIT) after some MPs expressed concerns that the scheme may be foundering.

The decision reverses a resolution taken by the parliamentary committee only weeks ago not to hold an inquiry, and vindicates a campaign led by leading academics, Computer Weekly and MPs.

The inquiry, the terms of reference for which will be announced shortly, is expected to involve the committee's members questioning ministers and officials at a series of hearings.

MPs on the committee can take in evidence from trust executives who are concerned about the lack of progress in the delivery of core patient systems for hospitals, and from GPs about whether centralised electronic health records will be secure.

The committee in October rejected an inquiry partly because some members believed the programme was too complicated to be investigated by non-expert MPs.

Read the Article

IMA Responds to NewCoB Proposals from FSA

IMA today (29 November, 2006) issued its comments on the wholesale reform of the Conduct of Business (CoB) rules proposed by the FSA in response to the MiFID Directive.  In a substantial and detailed response to the FSA's consultation paper CP06/19, the IMA covers a wide range of issues, but two are of particular importance.

Read the Article

MiFID threat to Hedge Fund investment

The FSA will invite consultation from January to decide whether to allow retail investors to access hedge funds. The review has been brought about because the new pan-European MiFID (Markets in Financial Instruments Directive) rules will mean many investors will be reclassified and will become unable to access the funds.

Retail investors will not be able to access unregulated investment schemes, which include hedge funds, so the regulator will need to implement the changes ahead of the restrictions being put in place.

Under MiFID, investors will be classified as retail if they either make less than 40 trades a year or have less than 400,000 euros in investment assets.

Read the article in the FT

Phishing attacks hotting up

Phishing attacks are increasing in frequency and sophistication while shifting from larger to smaller financial institutions, according to security vendor RSA.

The vendor has tracked shifts in phishing demographics, and claims they are being driven by a renewed focus on smaller financial institutions. US banks have been building stronger anti-phishing protection, forcing fraudsters to target banks in other countries, according to RSA.

"We're seeing an interesting shift in the global phishing landscape, partly fuelled by guidelines instructing US banking institutions to implement stronger forms of authentication," said Andrew Moloney, head of international marketing for RSA consumer solutions business. "There's been a shift in the global black market to the less protected banks. In the UK, online banking is not particularly well protected," Moloney claimed.

Bank e-fraud teams are increasingly using behavioural monitoring of both physical and digital systems to judge whether a fraud is being attempted, said Moloney.

Read the article on

VeriSign To Acquire inCode Wireless

VeriSign, Inc announced it has signed a definitive agreement to acquire inCode Wireless, a global business and technology consulting firm.

“With a focus on next generation mobility solutions, inCode professionals have a firm grasp of all aspects of the wireless marketplace – from business strategy to emerging trends,” said Stratton Sclavos, Chief Executive Officer and Chairman of VeriSign. “Combined with VeriSign's market-leading portfolio of managed communications and content offerings, we plan to offer end-to-end solutions that enable our customers to launch compelling services that drive new revenue streams and improve customer loyalty.”

inCode has become a global force in wireless business and technology consulting, with 14 offices in 10 countries. The company provides strategy consulting services to nearly every major wireless, wireline, cable operator and telecom equipment manufacturer, as well as leading enterprises.

Read the Article

Security fears scare off US customers from online banking, shopping

Nearly $2 billion in US e-commerce sales will be lost in 2006 due to consumer concerns over the security of the Internet, according to a survey by Gartner, which also found that fear of fraud and identity theft have prevented around 33 million US adults from banking online.

The survey of 5000 online US adults in August 2006 found that recent security breaches - both online and offline - are having a significant impact on buying patterns and use of Web banking facilities.

Nearly half of those surveyed (46%) said concerns about theft of information, data breaches or Internet-based attacks have affected their purchasing payment, online transaction or e-mail behaviour. Of all the behaviors affected, online commerce - which includes Internet banking, online payments and Web shopping - is suffering the most.

Almost nine million US adults have stopped using online banking, while another estimated 23.7 million won't even start because of fears over security.

Read the article in Finextra

FSA sets out costs and benefits of MIFID - One Billion Pounds

The Financial Services Authority today (24 November 2006) published a paper setting out its assessment of the overall costs and benefits for the financial services industry of implementing the Markets in Financial Instruments Directive (MiFID) in the UK.

The overall impact of MiFID attempts to quantify, where possible, the benefits of MiFID in the UK, and sets these alongside the costs of implementation. The paper indicates that, under certain assumptions, MiFID could generate some £200 million per year in quantifiable ongoing benefits, which will be attributable mainly to reductions in compliance and transaction costs.

The quantified one-off cost of implementing MiFID could be between £870 million and £1 billion with ongoing costs of around an extra £100 million a year. These are aggregate figures: it is likely that the distribution of costs and benefits will vary among firms depending on exactly how MiFID affects their business.

Read the Article


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.