Compliance and Privacy
Compliance and Privacy News )
Essential Reading for Today's Business 29th June 2006

in this issue:
  • An Analysis of New Security Features Within Microsoft Vista and Internet Explorer 7 - an iDefense Webcast
  • iDefense Webcast replays
  • What is SSL?
  • Internal fraud coupled with IT savvy is a killer combination
  • News Snippets

    Dear Visitor,

    With the beta release by Microsoft of both Vista and of Internet Explorer 7, iDefense is holding a WebCast on their security features. This is an excellent opportunity for detail-level forward planning for security. And there needs to be detail-level planning! Look at the current results of our survey on SSL implementation today!

    With security our main emphasis this week, Richard Steinnon has covered fraud in his blog. Don't just have a look at this article in isolation. Visit the bloggers we're collecting and suggest others to me by replying to me now. Which bloggers would you like us to feature on Compliance and Privacy?

    As always, we welcome your feedback - do take part in the discussion forums. The more we get from you, the more we can tailor the content we're providing!

    Peter Andrews

    An Analysis of New Security Features Within Microsoft Vista and Internet Explorer 7 - an iDefense Webcast

    Microsoft Corp. released beta versions of its new Windows Vista operating system and version 7.0 of its Internet Explorer Web browser in 2005. However, the new products have yet to be released commercially. This presentation will focus on the new security features planned for these two new products, explaining how these features will benefit the overall security of the Windows platform and potential problems they may introduce. Emphasis will be placed on how vulnerabilities in earlier versions of Windows led Microsoft to implement these features and change the way the company approaches software security.

    This is advance notice for the webcast which is on 2 July 2006. It runs at 2pm US Eastern time, that's 7pm UK time, 8pm European time.

    Your active participation makes these events run well. You are invited to participate on the 19th. Make a diary date and have an audio equipped PC to ensure you get your questions answered.

    iDefense Webcast replays

    We now have an even better way of bringing you the iDefense webcast replays. We've gathered them together in one place. Obviously they are for our members only, so, if you have a colleague who should see them, simply pass this newsletter to them (link at the foot, or forward it) and have them click the link.

    What is SSL?

    No, we're not giving the answer here and now! But what does surprise us is the current set of results of our straw poll on implementation of SSL. A strong part of the audience for Compliance and Privacy is, or we thought it was, people who deploy SSL technology. The current results must be an anomaly, mustn't they?

    Check your own SSL implementation status, and see the answers so far. We'll be commenting on this in an article later this summer.

    Where is the survey? Easy. Left hand margin of Compliance and Privacy.

    Internal fraud coupled with IT savvy is a killer combination

    This week we're drawing your attention to an article by Richard Steinnon in his Threat Chaos blog. As you know we are gathering excellent bloggers onto the site. We'll be featuring the most relevant articles from time to time in this newsletter

    Richard looks at fraud. He says: "As any auditor knows internal fraud is as old as business. The classic case involves the secretary who is responsible for accounts payable as well as procurement. He generates bogus invoices and pays them to bogus companies. I have a friend in Chicago whose business was ruined this way. A law firm here in Michigan lost millions to the Nigerian 419 scam because their secretary had access to the firm's funds."

    News Snippets

    Recent Microsoft Patches

    Both Computerworld and TopTechNews reported how security firms are warning consumers about the availability of attack code targeting some of the flaws for which Microsoft Corp. released patches Tuesday. "Exploit code had already existed for three of the vulnerabilities prior to Tuesday, as they were already public issues," said Michael Sutton , director of VeriSign iDefense Labs. "Beyond that, we're seeing public exploit code emerge for some of the new vulnerabilities and are hearing rumors of private code existing for others." The availability of such exploits heightens the risk for companies that have not yet been able to patch their systems and are important factors to consider when deciding which systems to patch first, he said.

    Yahoo!'s New Worm

    Ken Dunham, senior engineer at iDefense, a VeriSign company was quoted in TechNewsWorld , on Yamanner, a new worm targeted at Yahoo!'s Web-based e-mail service. Ken said, "The problem is the end users may not realize their computer is affected. Who would have thought you could get a virus just browsing the Internet? It violates the trust that people have for the basic use of the Internet and causes them to feel they are helpless to stop it."

    "This worm has a larger scope that originally was thought. It may impact other Web e-mail services as well," Ken told TechNewsWorld. "This worm required a lot of testing to successfully attack users of Web-based e-mail services. These attacks are getting more sophisticated."

    The Pros and Cons of the Semantic Web

    A recent IT Week news article defined the "semantic web" as technologies that will make web pages easier for computer systems to interpret. Phillip Hallam-Baker , principal scientist for VeriSign, said an unintended consequence of semantic web technology would be to expose individuals' details more easily to criminals searching for ways to crack passwords and commit identity fraud. "More and more information is being put online, and all the semantic web is doing is making it easier for people to access that data and use it to their advantage," Hallam-Baker argued. "Professional criminals are looking to exploit that information - obscurity can buy you some time but it's running out." He added that widespread use of the semantic web would probably hasten the end of simple passwords as a means of authentication, to be replaced by stronger, two-factor systems for customers to prove their identity to online merchants and service providers.

    Quick Links...


    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.