Compliance and Privacy
Compliance and Privacy News )
Essential Reading for Today's Business 25th April 2006

in this issue:
  • The European e-Identity Conference
  • The Evolution and Current State of DDoS Attacks
  • iDefense Vulnerabilities Report Jan 2005-October 2005
  • The VeriSign Security Review - April 2006
  • . Identity Theft Tops 3 Percent
  • . March Threat Summary
  • . GAO Reports on Information Security
  • IEEE To Propose New Wireless Security Standard
  • VeriSign and BITS to Provide Banking Security
  • Security Events

    Dear Visitor,

    We have a packed newsletter this week so please do read on - I'm sure you'll find something here that's important to you. First up is the E-Identity conference in Barcelona and, as a reader of Compliance and Privacy you can get an extra 10% discount, courtesy of VeriSign. And we have another live webcast for you - this time on DDoS attacks. But, perhaps most interesting of all is the latest news that 3% of US homes were victims of identity theft in 2005. This is dramatically higher than in the UK, so the question is "is this the shape of things to come or is the UK different"?

    As you will see, this week's issue has a distinctive transatlantic flavour - but escalating privacy and compliance issues there are highly likely to have a significant impact here - both in terms of legislation and consumer behaviour. Tell us your views, do you think we are too driven by US developments?

    Have a good, safe week

    Peter Andrews

    The European e-Identity Conference

    "Managing Employee, Citizen and Private Identities"

    15-16 June 2006, Barcelona

    Europe's key identity event this year - The European e-Identity Conference, is taking place in Barcelona, 15-16 June 2006 and VeriSign is supporting the event. We hope you will put the date in the diary.

    The conference will focus on identity as a key enabler of today's e-business process and aims to leave delegates with a comprehensive picture of the challenges of managing an effective identity management strategy, as well as the role and value of new technologies. Over two days the key issues surrounding identity will be explored, through presentations, interactive debate, round table workshops, question and answer sessions and panel discussions.

    As a sponsor of the event, VeriSign is able to pass on a 10% discount off the standard delegate fees to members of the Compliance and Privacy mailing list.

    The Evolution and Current State of DDoS Attacks

    The distributed denial of service (DDoS) attack is among the most potentially costly and intractable cyber threats facing technology-dependent companies today. DDoS attacks are also more frequent, larger and more costly than ever before, and the number of available "zombie" computers in the wild is greater than ever. These trends will continue for the foreseeable future. This presentation discusses why and what DDoS mitigation and prevention strategies are used to keep technology-driven organizations in business today, and how early DoS attacks evolved into present-day techniques.

    This webcast is at 2pm EDT on 26 April 2006, that is 7pm BST, 8pm GMT and European time. A replay will be mounted on our site a few days after the webcast.

    This is a live webcast. To participate fully you will need an audio equipped computer.

    iDefense Vulnerabilities Report Jan 2005-October 2005

    Proactive vulnerability notification is critical to effective risk management. VeriSign® iDefense Security Intelligence Services delivers comprehensive, actionable intelligence aiding customers in making decisions in response to threats on a real-time basis. The following is a list of VeriSign iDefense Exclusive Vulnerabilities that have been publicly disclosure by the vendor since January 1, 2005. The table shows the number of days VeriSign iDefense customers receive notification on exclusive vulnerabilities in advance of public disclosure.

    The VeriSign Security Review - April 2006

    March saw a large amount of malicious activity and the VeriSign Threat Level is raised to 3 due to exploits of the Microsoft IE vulnerability disclosed mid-month. The number of American households victimized by identity theft has reached 3.6 million, and phishing is likely to play a larger role in increasing that number. Phishing as a crime industry is growing and maturing, and security professionals must seek comprehensive solutions to combat this plague.

    . Identity Theft Tops 3 Percent

    Some 3.6 million American households became victims of identity theft in 2004, reveals the US Department of Justice's National Crime Victimization Survey. The survey of 42,000 households found that young heads of households and those in the highest income brackets are more likely targets of identity theft. Half of the surveyed victims discovered the identity theft after unknown charges were made against an account or they had problem banking. A quarter had problems with credit cards and one out of six had to pay higher interest rates.

    . March Threat Summary

    The VeriSign iDefense Threat Level remains at Level 3 due to the critical Microsoft 06-012 vulnerability. The vulnerability targets Internet Explorer and affects Windows 2000, Windows XP, and Windows Server 2003. Exploits are active but limited, and third-party fixes have surfaced ahead of Microsoft's April 11th patch. Microsoft disclosed that it was working with industry partners and law enforcement to remove Web sites that are already exploiting the vulnerability.

    US-CERT issued an information notice warning of increased DDoS attacks using spoofed recursive DNS requests, which could potentially generate a multi-gigabit flood of DNS replies. An attacker can send thousands of spoofed requests to a DNS server that allows recursion. If the DNS server processed the requests as valid and returned the DNS replies to the spoofed recipient (the victim), the attacker could potentially generate a multi-gigabit flood of DNS replies. The technique is known as an amplifier attack, because it takes advantage of mis-configured DNS servers to reflect the attack onto a target while amplifying the packet volume.

    . GAO Reports on Information Security

    The US Government Accountability Office released reports on information security at the Securities and Exchange Commission (SEC), the Internal Revenue Service (IRS), and the Department of Health and Human Services (HHS).

    After the GAO's scathing 2005 report on information security at the SEC, the 2006 report concludes that "most of the previously reported information security controls and program weaknesses persist.V Chief among the weaknesses are access control and patch management.

    While noting progress at the IRS, the GAO says "significant control weaknesses," weaknesses such as excessive access and inadequate logging, remain. One of the key concerns is that the IRS still routinely permits "unencrypted protocols for remote log-on capability."

    Still without a department-wide information security program, the HHS also received criticism from the GAO. A February 2006 report points out that system administrative access was not always restricted and that data is not always encrypted.

    IEEE To Propose New Wireless Security Standard

    The taskforce that created 802.11i, the standard behind Wi-Fi protected access and WPA-2, patched security holes by introducing new cryptographic algorithms to protect data traveling across a wireless network. Now, fast handoff, radio resource measurement, discovery and wireless network management schemes are being introduced in the upcoming 802.11r, 802.11k and 802.11v drafts. As new and highly sensitive information about wireless networks will be exchanged, the IEEE is also working on 802.11w, extending 802.11i to provide AES encryption and de-authentication.

    Overall, 802.11w promises to patch security problems created by the flow of new and detailed information over management frames. By protecting the contents of most frames from eavesdropping, and of certain crucial frames from forging, 802.11w will stop the information leakage and reduce some basic DoS attacks. IEEE expects to ratify 802.11w in the first half of 2008.

    VeriSign and BITS to Provide Banking Security

    VeriSign and Banking Infrastructure & Technology Services (BITS), the technology and telecommunications unit of Atlantic Central Banker Bank (ACBB), today announced they have reached an agreement to deliver security services to community banks throughout the five-state, Mid-Atlantic region.

    Under terms of the agreement, VeriSign and ACBB-BITS will provide an integrated set of managed security services (MSS), including firewall management, intrusion detection/prevention management and vulnerability management to help regional and community banks protect their internal networks from unauthorized access and malicious activity. Additionally, the two companies plan to offer VeriSign® Global Security Consulting and the VeriSign® Identity Protection (VIP) service.

    VeriSign Global Security Consulting Services helps companies understand corporate security requirements, navigate the maze of diverse regulations and security compliance requirements, reduce risk, identify security vulnerabilities and defend against and respond to attacks.

    VIP is the most comprehensive suite of identity protection and authentication services, designed to strengthen and protect consumers' digital identities. It will help manage risks to the reputations of financial services organizations, e-commerce companies and enterprises that digitally interact with consumers' personal data.

    Security Events

    April 24-26, 2006
    LinuxWorld NetworkWorld Conference & Expo
    Toronto, Canada

    April 26, 2006
    ISSA InfoSec Conference
    Boise, ID

    May 1-4, 2006
    SecuritySolutions 2006
    Tampa, FL

    May 2-3, 2006
    SecureWorld Expo
    Atlanta, GA

    May 3-6, 2006
    Computer Enterprise Investigations Conference
    Las Vegas, NV

    Quick Links...


    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.