Compliance and Privacy
Compliance and Privacy News )
Essential Reading for Today's Business 13th October 2006

in this issue:
  • Trusted Computing Group - Open Specification For Mobile Phone Security
  • Larry Seltzer's Security Weblog
  • APACS: people are unaware of basic security measures for eBanking
  • Cyber Attacks Increasingly Target Home Users for Financial Gain
  • 83% of Adults Who Social Network Expose Themselves To Hackers and Identity Thieves
  • New concerns over web security
  • RSA Conference Europe the number one dedicated European Security Event
  • Wicked Rose and the NCPH Hacking Culture

    Dear Visitor,

    The year seems to race ahead, but compliance, privacy and security concerns seem to outpace it all the way. In this issue we bring you several linked stories, a new security blog, and a personal invitation from our sponsor, VeriSign, to attend their stand at the RSA Conference.

    The main theme of this edition is Identity Theft. This is now extending to mobile phones, and the Trusted Computing Group has news on their Open Specification For Mobile Phone Security.

    Link together the risks on social networking sites, the cyber attacks on home users' machines, and the APACS study about lack of awareness of the public when using eBanking, and the scope for personation and identity theft becomes huge. No wonder it is the most feared crime nowadays.

    VeriSign's Mike Davies expanded on this theme in London this week at the Privacy & Data Protection Conference 2006. We have his presentation for you.

    Peter Andrews

    Trusted Computing Group - Open Specification For Mobile Phone Security

    The Trusted Computing Group's Mobile Phone Work Group, which has been working to create an industry-wide approach to securing data, transactions and content, for mobile phones, announced on 13th September 2006 a draft Mobile Trusted Module specification. This open and available specification will enable the development of stronger security, enhanced privacy and reduced risk of loss and theft for mobile phone users and providers of handsets and services.

    "Attacks on mobile phones, including viruses, spyware and spam, and the loss of personal and financial information or the handset itself, clearly will increase as phones increasingly become repositories of critical information and transactions for users," noted Iain Gillot, president and founder of iGR (formerly iGillot Research). "By working together and establishing standards, the mobile industry can move more quickly and efficiently to embed security mechanisms into phones. More security at the platform level can only help the industry continue to offer the services, handset features and content that users want."

    Larry Seltzer's Security Weblog

    Larry Seltzer is the editor of Security Center. He writes an occasional blog on security matters taken from the articles.

    Larry brings a wry view to the security arena, and often pours scorn on establishment opinions. That's precisely why we feature his weblog.

    APACS: people are unaware of basic security measures for eBanking

    Research released on 22 September 2006 from APACS, the UK payments association working on behalf of the banking industry, shows that people are still not aware of best practice when it comes to online banking and security. The findings clearly demonstrate that some online banking users are failing to protect themselves, despite widely available advice on how to do so.

    The latest study builds on the findings of research carried out in 2004 and shows that people are still unaware of the basic security measures they should have in place to stay safe online. Although internet users are aware of scams such as 'phishing' and Trojan attacks, they are still overly complacent. They need to do more themselves to understand the risks and find out what they can do to protect themselves and their computers.

    Cyber Attacks Increasingly Target Home Users for Financial Gain

    The latest Internet Security Threat Report released on 25 September 2006 by Symantec shows that because home users are less likely to have established security measures in place, they are being increasingly targeted by attackers for identity theft, fraud, or other financially motivated crime. Furthermore, attackers are now using a variety of techniques to escape detection and prolong their presence on systems in order to gain more time to steal information, hijack the computer for marketing purposes, provide remote access, or otherwise compromise confidential information for profit.

    Symantec's Internet Security Threat Report notes that home users are the most targeted attack sector, accounting for 86 percent of all targeted attacks, followed by financial services businesses. Symantec has identified increased attacks aimed at client-side applications, increased use of evasive tactics to avoid detection, and that large, widespread Internet worms have given way to smaller, more targeted attacks focusing on fraud, data theft, and criminal activity.

    83% of Adults Who Social Network Expose Themselves To Hackers and Identity Thieves

    Kicking off October as National Cyber Security Awareness month, CA and the National Cyber Security Alliance announced results of the first social networking study examining the link between specific online behaviors and the potential for becoming a victim of cyber-crime. Although social networking sites, such as MySpace and FaceBook, have been examined from the standpoint of physical security issues, including sexual predators, this survey examines users' online behavior and the possibility of other threats such as fraud, identity theft, computer spyware and viruses. Highlights of the survey include:

    • Although 57 percent of people who use social networking sites admit to worrying about becoming a victim of cyber-crime, they are still divulging information that may put them at risk. For example 74 percent have given out some sort of personal information, such as their e-mail address, name and birthday.
    • 83 percent of adults social networking are downloading unknown files from other people's profiles potentially opening up their PCs to attacks.
    • 51 percent of parents aware of their children social networking do not restrict their children's profiles so only friends can view, leaving their child's profiles unrestricted to potential predators.
    • Furthermore, 36 percent of these parents surveyed do not monitor their children on social networking sites at all.

    New concerns over web security

    At October 9th's Privacy & Data Protection Conference 2006, Mike Davies, Marketing Director of Verisign outlined some very worrying issues that will impact anyone using the web for marketing over the next 12 to 18 months. Essentially Mike was arguing, and  is already in discussions with the Information Commissioners office about this , that ANY personal data transmitted over the web should be encrypted using SSL (Secure Socket Layer) technology. The argument is that the Data Protection Act 1998 requires companies to implement "appropriate" security technology. As Mike explained, Web 2.0 (or the semantic web) will make it far easier for criminals to identify packets of personal data transiting the Internet and steal it.

    The Information Commissioner's interpretation of "appropriate" takes into account three factors - the potential harm, the risk of that harm occurring and the cost of eliminating, or at least minimising, the risk. In the case of Web 2.0, no-one is yet sure, but few disagree that the risk will grow rapidly. Secondly the level of harm will also increase as it becomes easier for data thieves to aggregate individual pieces of data together.

    So, what does this mean for you? Well it means that you should be securing your website with an SSL certificate, even if you are only capturing basic name and address data.  Industry opinion leaders and Legal Experts are starting to agree that EVERYTHING we do on the web should be via SSL because not only does it improve the security of data, it increases the certainty that the website we are looking at is the REAL website and not a fraudster's site. Which means that, if you don't yet have SSL on your website, you should implement it as soon as possible.

    RSA Conference Europe the number one dedicated European Security Event

    If you are responsible for implementing, planning or managing information security, then this is the only event to justify your time out of the office.

    Make sure to visit VeriSign at Stand 16 and attend their regular presentation sessions.

    VeriSign invites you to bring your security issues:

    • Consumer Trust issues
    • Identity Theft and management
    • Fraud Detection services
    • Protecting online Consumer Identities
    • Log Management Services
    • Aligning Security with regulatory compliance
    • Phishing
    • Security Intelligence Requirements for Effective Risk Management
    • Security Risk Profiling
    • Firewall and VPN Management

    To arrange an appointment with VeriSign, experience their security solutions or attend their Presentation sessions in the London room, email: or call on: 0800 032 2101 [international +44 (0) 208 6000 740]

    Wicked Rose and the NCPH Hacking Culture

    More than 35 zero-day targeted attacks and related exploit codes emerged during the summer of 2006. Wicked Rose is the Chinese hacker responsible for developing the infamous GinWui rootkit used in the earliest attacks. This VeriSign-iDefense exclusive report provides participants with an in-depth view into the means, motives and culture of Wicked Rose's NCPH hacking group, including photos of the individual hackers. This is a story you won't read about anywhere else, revealing the intimate details of some of the most sophisticated targeted attacks to date.

    This is an interactive webcast:
    When? 2pm US Eastern Time, that's 7pm UK, 8pm European time
    Where? At your desk
    What's needed? An audio equipped computer

    Your input is needed, register now

    Quick Links...


    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.