Compliance and Privacy News
Compliance and Privacy News )
Essential Reading for Today's Business 18th January 2005

in this issue
  • Pre-Publication Preview: "Web Security 2005"
  • The CNIL and SOX Whistleblowers
  • Open Source to Get US Gov't Bugcheck
  • Webcast Replay: Top 10 Spyware Attacks

    Dear Visitor,

    2006 looks like it is going to be an interesting year. Rapid technology change, increasing e-commerce and even greater security threats driven by the huge opportunities the first two offer. We hope that throughout the year we will will be able to give useful pointers on where to focus your time. And if you have any specific issues, why not post your own observations on the C&P website?

    In this edition we're highlighting the replay of the iDefense webcast on spyware. We see spyware as a major and continuing issue for 2006 and beyond. The only cure is more and better recognition, and better prevention.

    We're also very lucky to have a preview chapter for you of "Web Security 2005". It refers back to the cybercrime figures we looked at in the 5th December newsletter when they were said to outstrip drugs money.

    Alongside all this, the US Department of Homeland Security is getting involved in bug-checking Open Source projects. After you've read the article you can let us know what you think by discussing the concept - there's a link from the article to do so

    And in France the CNIL has finally published compliance options to allow the SOX Whistleblowers Hotlines to be lawful. We have reprinted Faegre & Benson LLP's commentary on this. Essential reading for those whose organisations work in France.

    Peter Andrews

    Pre-Publication Preview: "Web Security 2005"

    Web Security 2005 is not yet published, but we've been given permission by VeriSign to make an advance preview chapter available for you. Written by Suheil Shahryar this chapter takes a close look at the top threats of 2005 and trends for 2006.

    2005 saw the most computer security breaches ever, subjecting millions of online users to potential identity fraud. According to a report published by USA Today on 29 December 2005, over 130 major intrusions exposed more than 55 million Americans to the growing variety of fraud as personal data like Social Security and credit card numbers were left unprotected. The US Treasury Department said that cyber crime has now outgrown illegal drug sales in annual proceeds, netting an estimated $105 billion in 2004.

    Key areas covered are:

    • the evolution of Internet crime
    • key security threats of 2005
    • key security vulnerabilities of 2005
    • the business of Internet criminals
    • Security concerns for 2006.

    The CNIL and SOX Whistleblowers

    The French people have a natural distaste for informers. Their history of wartime informers and collaborators has made it culturally challenging to accept an system which allows informers, especially anonymous informers, to have any platform where they can act. But Sarbanes Oxley requires informer hotlines. And France needs US corporations who trade in their geography to continue to trade lawfully.

    The CNIL has acknowledged and provided compliance options consistent with SOX. At the end of December 2005 the CNIL published a Decision (AU-004) consistent with the Guidelines, such that if the Guidelines and the Decision are followed, it will give an authorization to an organization that commits to implement a compliant whistleblowing scheme.

    Understanding the compliance options is vital to you if subject to SOX and any part of your organisation is trading in France

    Open Source to Get US Gov't Bugcheck

    A huge number of US Government departments use many millions of lines of Open Source software as an integral part of their applications. How deeply embarrassing would it be if Open Source were a "spy in the office"? It's not just government applications that depend on Open Source. Businesses large and small worldwide depend on it for applications ranging form mundane to complex and esoteric.

    To be fair, an Open Source system is very unlikely to be a source of spyware. The whole régime of open source development, while it appears to allow every Tom Dick and Harry to develop the systems, and is thus "inherently insecure" is very rigidly controlled by project owners with version control systems, quality assurance and testing often beyond the resources of a commercial corporation.

    We expect an announcement, probably from Coverity, that it, Stanford University and Symantec have picked up shares of a $1.24m grant allocated for the "Vulnerability Discovery and Remediation, Open Source Hardening Project".

    Webcast Replay: Top 10 Spyware Attacks

    As most people herald the arrival of 2006 with fanfare, the creators of spyware and adware applications continue inexorably toward the goal of maximizing revenue from their creations. The automatons that they set into motion do not take holiday breaks, preferring instead to lie in wait for the next user gullible enough to download, install and use the malicious software and provide financial benefit to the spyware distributors. Spyware is a perfect example of the growing trend in which questionable entities exploit the Internet for financial gain. The last few years have proven that malicious code, and its cousins adware and spyware, have become the raison d'être for many computer professionals. Additionally, the fine line between the malicious code camp (writing and distributing worms, viruses, Trojan horses and combinations thereof) and that of adware and spyware (writing code that is "questionable" at the least) is blurring, and successful techniques used by one faction are often, and quickly, incorporated into the products of the other. There is even a fast-growing trend of adware and spyware being deployed by means of malicious code droppers and websites - all in the pursuit of easy money.

    This iDefense Webcast is now replayed here, as usual. [Runtime 54 minutes; requires speakers or headset. Since it is a replay no interaction is possible.

    Quick Links...


    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.