Compliance and Privacy
Compliance and Privacy News )
Essential Reading for Today's Business 13th July 2006

in this issue:
  • SWIFT accused of Privacy Breaches
  • Who Steals My Name
  • VeriSign Security Review for June 2006
  • Do you test on Live Data? It's illegal!
  • Tim Berners Lee's Blog
  • Voice-over-Internet Protocol Vulnerabilities - an iDefense Webcast
  • Webcast - How IE 7 and High Assurance SSL Certificates Will Impact Your Site
  • UK Information Commissioner issues Enforcement against
  • Other news in brief

    Dear Visitor,

    As we dive into the vacation season after Wimbledon's tennis and the football World Cup we have a packed newsletter for you. One of the highlights is Tim Berners-Lee's blog. He's very much looking at Internet Neutrality at present.

    Privacy then takes over as a theme, ranging from lost laptops to Privacy International who have made 32 complaints against SWIFT currently for alleged breaches of personal privacy. It'll be interesting to see how this pans out over the coming months. And then testing on live data is pretty scary, especially with Compuware's report showing that 44% of CIOs test on live data!

    And while we're on the topic of Privacy, the UK Information Commissioner has just issued an Enforcement Notice against Birmingham company B4U - the first such notice against a web based business.

    We have two webcasts, too. IE 7 and High assurance SSL certificates on the 18th of July and warnings of vulnerabilities with Voice over IP on the 19th.

    As always, we welcome your feedback - do take part in the discussion forums. The more we get from you, the more we can tailor the content we're providing! And do register your vote in our polls and surveys.

    Peter Andrews

    SWIFT accused of Privacy Breaches

    The human rights group Privacy International has announced that it has lodged complaints with data protection authorities in 32 countries against Society for Worldwide Interbank Financial Telecommunications, or SWIFT (a consortium of financial institutions), claiming that it has violated European and Asian data protection rules by providing the USA with confidential information about international money transfers.

    Privacy grabs the headlines more and more, especially with allegations of nations interfering in citizens' lives. Our article is by kind permission of Eversheds.

    Who Steals My Name

    It begins with a small theft. Someone breaks a car window, grabs a laptop computer lying on the back seat, and disappears into the darkness with the machine. Unfortunately, that laptop belongs to the global sales manager of your company. And now you - and she - have some big problems, because that laptop contains the ID and password used to access your company's customer relationship management (CRM) system. This CRM system contains a lot of sensitive information, and none of it is encrypted. Among the sensitive information: a complete profile of your company's customers around the world, the customers' credit card numbers, and the customers' passwords for your company's ecommerce website

    VeriSign Security Review for June 2006

    An eventful Microsoft patch week passed with no significant new exploits. Security managers, however, should remain vigilant as unpatched issues remain. Last month also saw the painful departure of spam warrior Blue Security who faced defeat of the money-hungry spam and phishing industry. VeriSign continues to monitor spam, phishing, and other malicious activities to help customers stave off costly attacks.

    Do you test on Live Data? It's illegal!

    "But it can't be. And anyway, we have rigorous security in place". Regrettably that is the attitude of many hard pressed CIOs today. The business pressures speedy delivery of tested software, and live data tends to be the data with the 'best' hidden gotchas, or so CIOs have always believed. But that doesn't make it lawful.

    Compuware's survey of 100 senior IT decision makers says that 44% were guilty of testing with live data, and 48% were only "vaguely familiar with the law". 83% of those who send data offshore for testing purposes only set up non disclosure agreements, not even Data Processor contracts - the minimum contract required when outsourcing offshore.

    Tim Berners Lee's Blog

    As part of our never ending quest to find relevant, challenging, and unusual blogs, we've added Tim Berners-Lee's to our featured bloggers.

    The "father of the internet", Tim blogs infrequently. But without Tim there would be no internet, well no world wide web, at least. And his work and his blog are influential.

    Voice-over-Internet Protocol Vulnerabilities - an iDefense Webcast

    One technology that has experienced a recent explosive growth is Internet Protocol Telephony, better known as Voice over Internet Protocol (VoIP), which effectively integrates data and voice communications. VoIP has already proven a cost-effective solution for individuals and corporations that already have perpetual high-speed Internet connections. VoIP will be the only communications medium available for voice traffic in the foreseeable future, and the current movement toward integrating voice and data traffic is indeed inexorable. However, VoIP technology is immature and is thus another factor to consider on an otherwise burdened infrastructure. This report attempts to determine and enumerate the nature of the security and safety threats putting today's corporate VoIP networks at risk. It illustrates the rapidly increasing rate of exploitation and attack vectors, describing attacks that are both general (directed against the Internet backbone of the VoIP network) and specific (targeted toward specific VoIP implementations).

    This event is on the 19th July 2006, at 2pm US Eastern Time, that is 7pm UK time, 8pm European time, and lasts approximately half an hour.

    You are invited to register and join in. You will need an audio equipped computer to participate fully.

    Webcast - How IE 7 and High Assurance SSL Certificates Will Impact Your Site

    Find out how Internet Explorer 7 and new High Assurance SSL Certificates will affect the world's perception of your site security by attending our free VeriSign Web seminar.

    Is your site ready to take advantage of the new security features in IE 7 and other high-security browsers? In this complimentary Web seminar, you will get the most up-to-date information on a new kind of SSL Certificate-High Assurance Certificates-that will take advantage of new features in these high-security browsers. Get the facts by attending this exclusive VeriSign event. Find out how High Assurance SSL will impact your organization, and how you can take advantage of it to quickly assure visitors that your site provides the highest level of security. Please join us as we answer the following questions:

    • What are High Assurance SSL Certificates?
    • How will they be highlighted in new browsers?
    • How will they work?
    • Which browsers will support them?
    • How (and when) can you take advantage of them?

    With phishing attacks growing rampant and consumer distrust increasing as a result, this new SSL Certificate type will play a critical role in helping distinguish legitimate and safe sites from phishing sites.

    This event is on Tuesday, 18 July 2006 at 7pm UK time, 8pm European time, and lasts approximately an hour

    UK Information Commissioner issues Enforcement against

    In a very serious warning shot to others who break the Data Protection Act 1998, the UK Information Commissioner has prohibited B4U, a Birmingham based business, from using a large part of its online search database. He is now targeting other similar misusers.

    The Information Commissioner's Office has ordered them to stop using personal information from electoral registers published before 2002, after finding the site in breach of the Data Protection Act. B4U is a company based in Birmingham in the UK.

    In addition the Information Commissioner has opened the doors on a potential flood of actions for damages against B4U by stating that he believes that damage and distress has been caused to individuals

    Other news in brief

    VeriSign Announces Plan to Further Enhance .com and .net Constellation with Regional Internet Resolution Site in Bulgaria

    Distributed Infrastructure to Provide Even Greater Security and Stability for Growing Number of Bulgarian Internet Users

    VeriSign announced on 4th July 2006 a plan to enhance its global constellation of geographically-dispersed Internet Resolution Sites by installing and operating a Regional Internet Resolution Site in Sofia, Bulgaria. The announcement is another important step in VeriSign's effort to expand critical Internet infrastructure in regions of emerging growth. Once fully implemented, the site will improve Internet performance for the over 2 million Internet users in Bulgaria.

    "Craigs List" lookalike for Global terrorism

    U.S. intelligence agencies have begun monitoring a frightening new Web site that functions as a "Craig's List" for terrorists across the globe, according to the Washington Post. In the past month, membership on the site has grown by 200 people a day, and it swelled to 10,322 in the days and weeks following the announcement that mystery man Abu Hamza al-Muhajir was named as the new leader of al Qaeda in Iraq. A man with a similar name is listed as the administrator of the Web site, called, and his caricature pops up when outsiders try to access secret members-only sections, according to Andretta Summerville of the cyber security firm iDefense. The Web site has been functioning as a one-stop shopping place for terrorists, wannabes and their supporters around the world and appears to serve as an important part of the support network for the murderous al Qaeda in Iraq, Summerville said.

    Using RFID Technology to Fight Counterfeit Entertainment Products

    In RFID Journal article about the recent Entertainment Supply Chain Academy held in Los Angeles, it was reported that RFID technology vendors OATSystems, ADT, and VeriSign described different ways supply chain partners in the entertainment industry could deploy RFID to increase efficiencies and data accuracy. Paul Mackinaw, VeriSign's principal consultant, noted that movie studios and other producers of entertainment media could leverage RFID technology not just for improved supply chain operations, but also for authenticating product as a means of fighting counterfeit products. It could also serve as a tool for ensuring that retailers introduce new titles to the sales floor on the appropriate release date, not before or after.

    Quick Links...


    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.