Compliance and Privacy News
Compliance and Privacy News )
Essential Reading for Today's Business 14th March 2006

in this issue:
  • Sober Worm Postmortem Webcast Replay
  • Social Engineering: The Effect on Information Security
  • Ever wondered about "Refer a Friend"?
  • When is Spam not Spam?
  • Who needs Chip and PIN? The Co-op trials fingerprints!

    Dear Visitor,

    Welcome to this week's newsletter in which we seem to have something for everyone! First up is the Sober worm - view a replay of the latest iDefense webcast at your leisure. And our second featured webcast considers that most under-estimated factor in security - the human one. With more and more attacks focusing on the human factor, you'll want to take a look!

    Have you ever entered a "refer-a-friend" programme? Did you know most of them break the law? We take a look. Then there's the curious case of the ISP who has managed to confuse viruses with Spam. And finally, with Chip and Pin having been much in the news lately, we bring you details of the Co-op's "Pay By Touch" fingerprint verification system.

    As always, we welcome your comments - why not contribute to C&P yourself? Post a comment on your views, issues and experiences.

    Do also participate in our simple survey on Information Security Policies - it appears in the left hand margin on Compliance and Privacy. Do you have one in your organisation? If you do, is it comprehensive enough?

    Peter Andrews

    Sober Worm Postmortem Webcast Replay

    Sober was the most prevalent e-mail worm of 2005. The carefully planned and coordinated attack started in early November 2005 and lasted until Jan. 6, 2006. In this presentation, iDefense examines the progression of the Sober attacks and the techniques the worm used to both infect its hosts and spread to others. iDefense also covers the impact that these attacks had on key corporate infrastructure and the future of the Sober worm itself.

    This is a replay. It runs for 19 minutes and requires a headset or speakers. No interaction is possible

    Social Engineering: The Effect on Information Security

    Researchers have often pointed to human users as the weakest and most commonly exploited attack vector. Although social engineering tactics have evolved, they remain simple and effective. In this report, iDefense explores the extent to which such targeted trickery affects the security environment today, and how it will continue to impact information security in the future.

    This live webcast is scheduled for 2pm US EST (7pm GMT) on Wednesday 15th March, and requires an audio equipped computer for full participation.

    As usual we will mount a replay on this site a day or two after the webcast.

    Ever wondered about "Refer a Friend"?

    We have, at Compliance and Privacy, and so has the Advertising Standards Authority in the UK. And a recent judgement aganst one such scheme has led to the ASA and the Committee of Advertising Practice issuing advice for these Refer a Friend schemes, also known as "Member-get-Member"

    The schemes are only lawful if handled correctly, and if certain legal conditions are met. So, is yours lawful?

    When is Spam not Spam?

    The answer is, "When it's a virus".

    Why do so many well meaning people confuse the two? We've wondered about this for a long time. The only conclusion we can come to is that ordinary people, acting with goodwill, just haven't got a clue. As a result, they confuse viruses like the Kama Sutra and the various Sober viruses with Spam.

    But when a UK Internet Service Provider confuses the two you have a recipe for confusion. They applied a highly agressive Spam filter to address a virus outbreak and announced the same to their customers. As an ISP you might expect them to know better and you could certainly argue that they have a duty to customers to be clear in an area where such mis-understanding could have disastrous consequences for the hapless customer!

    Who needs Chip and PIN? The Co-op trials fingerprints!

    With all the major need for strong authentication, true recognition of the user, and discussions about tokens and similar things, this story caught our eye. The question is, "Is this the future?" And we will only start to know when the 16 week trial of Finger Print Payment Processing at the UK's Mid Counties Co-op's Oxford store is complete.

    Pay By Touch is an innovative payment service which enables consumers to pay for their purchases using their finger rather than a card, cheque book or cash. The payment service will be available in three Midcounties Co-op supermarkets in and around Oxford.

    But will conservative Brits take this service up, or will they give it the archetypal British two finger gesture? Read the article and then tell us your views, both as a consumer and as someone who may implement biometric systems.

    Quick Links...


    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.