Compliance and Privacy
Compliance and Privacy News )
Essential Reading for Today's Business 13 December 2006

in this issue:
  • Data Breaches are a Growing ID Theft Concern
  • Jeff Pettorino's Security Convergence Blog
  • Information Security Driving Business Process Improvements
  • Mike Spinney's Private Communications Blog
  • Websense Alerts
  • Microsoft puts security as top priority for IE7 and Vista
  • Survey Reveals Acute UK e-Phobia in Run-up to Christmas Spending Spree
  • NHS National Programme for IT - Major Security Concerns
  • MiFID to cost £1bn! - FSA
  • Public Alerts - from
  • Webcast Replay Library
  • VeriSign Hits top 10 in CIO Insight's Vendor Value Study
  • VeriSign Issues First Ever Extended Validation SSL Certificate
  • Macedonia, Blacklists, and the Security Solution
  • Major Industry Presentations now available

    Dear Visitor,

    With Christmas just around the corner, the office party season getting into full swing, and enough good cheer to cause more than a few well intentioned security lapses, we have a more than usually packed newsletter for you. In the new year we will return to a two weekly schedule and a shorter newsletter. Meanwhile, this is our Christmas present and card all wrapped into one. Our sponsor, VeriSign already has their present. They are in the top 10 in CIO Insight's annual Vendor Value Study.

    Data breaches continue to hit the headlines. No-one is immune. Just by taking a laptop out of the office.... Interesting to juxtapose this with Ernst and Young's Global Information Security Survey

    We have several new items, too, new blogs, for example, with

    • Jeff Pettorino
    • Mike Spinney
    • Michael Farnum (too late for more than a mention in this issue, more next time)
    We also have automatic alerts from Websense Security Labs and as part of providing you with the best possible information gateway, all in one mini-portal

    There are details about Microsoft's prioritisation of security for IE 7 and Vista, and news that VeriSign has just issued the first ever Extended Validation SSL Certificate. Uptake isn't going to be fast enough to handle the UK e-Phobia in the run up to the Christmas spending, though.

    Then we have snippets about the UK NHS National Programme for IT. Security concerns mean it is in trouble, at least politically. And alongside that the huge cost of MiFID has been quantified. And to us it seems low.

    If you want a moment to relax, just take time out to review the Webcast Replay Library. The runup to Christmas is too hectic. Take some quiet time to shut the phone out and stream the replays you missed to your desktop. 2006 has been a hectic year. You deserve a break. And, while the video streams load, look at the article on Macedonia, and get the FT article on the challenges and solution sent to you. And also set the q4 presentations to download.

    Peter Andrews

    Data Breaches are a Growing ID Theft Concern

    According to an article at The Privacy Rights Clearing House, a data breach has become the nightmare scenario for most companies. These incidents can result in severe brand damage, loss of consumer confidence even litigation. Starting with ChoicePoint's massive data disclosure in February of 2005, the article provides a detailed chronology of this very real and dangerous problem. It's a vast page, it's slow to load. But take the time and scan down the list.

    The article is confined to the USA, but, according to their update of 3 November, 2006, the total known number of records containing sensitive personal information involved in security breaches was 97,148,596.

    And it's rising!

    Jeff Pettorino's Security Convergence Blog

    The first of two new bloggers for you this month.

    Jeff Pettorino is a Senior Consultant for VeriSign Security Services. In his career history he has held the title of security engineer, data storage specialist, police officer, systems administrator, supervisor, contractor, writer, and philosoper. His consulting work focuses on network penetration testing, social engineering, physical security, and helping clients reach standards compliance.

    Information Security Driving Business Process Improvements

    Information Security is increasingly recognized as a driver of business improvement, says Ernst & Young's 9th Annual Global Information Security Survey, but companies still need to do more to improve their information security posture in the globalized business environment where the largest opportunities also carry the greatest risks. Among the five key priorities identified by the report as being most critical to future success, the one making the most dramatic leap up the boardroom risk agenda is privacy and personal data protection; the most consumer-driven of these issues.

    The survey, "Achieving Success in a Globalized World — Is Your Way Secure?" sought the views of nearly 1,200 senior information security professionals in 48 countries, as well as benchmarking the current information security practices of more than 350 organizations in 38 countries.

    Paul van Kessel, Global Leader of Ernst & Young's Technology and Security Risk Services, comments, “We have identified five major information security priorities in which companies are showing significant progress, but also where continuous improvements are necessary to keep pace with the growing requirements of effective risk management.

    Mike Spinney's Private Communications Blog

    Mike Spinney, CIPP, is principal of the communications consultancy SixWeight, and has more than fifteen years experience providing strategic communications counsel to business organizations. His resume includes a stint with the U.S. Navy's intelligence service, many years as a public relations hack, and occasional turns as a writer. From 2003 to 2005 he served with the International Association of Privacy Professionals as editor of the group's monthly member newsletter, the Privacy Advisor , and manager of the IAPP's communications program. Since that time Spinney has immersed himself in leading privacy issues, earned professional credentials as a Certified Information Privacy Professional, and became a respected voice within the community of privacy professionals.

    Websense Alerts

    Websense Security Labs serves as a powerful resource to customers and the security community to discover, investigate and report on Internet threats. Websense alerts make essential input in today's phishing, crimeware, pharming, phoraging and malware world.

    Microsoft puts security as top priority for IE7 and Vista

    Despite antitrust pressures and complaints from partners (turned competitors), Microsoft announced that EU regulators have given it the go-signal to release its new operating system, Vista, without dropping any key security features.

    A high-ranking Microsoft executive claimed that the enhanced security features in Vista will render third-party antivirus software useless. Irked, pure-play security vendors like McAfee and Symantec, claimed they were at a disadvantage since they were denied access to key parts of the new operating system, which thus impeded their development efforts. Microsoft announced that Vista , the first major upgrade since XP in 2001, will be released to major business clients by November 30 2006 and available to the public by January 30 next year.

    In line with this, Microsoft rolled out Internet Explorer 7 for Windows XP months before the big release of Vista. Available for download now, the IE7 Web browser upgrade offers users fortified security which will combat malware and phishing. In cooperation with VeriSign and other Certificate Authorities (CA), Microsoft's new IE7 will feature extended validation (EV) SSL, which features increased scrutiny of organizations and more prominent display of certificate details.

    Survey Reveals Acute UK e-Phobia in Run-up to Christmas Spending Spree

    An NOP survey of 999 adults commissioned by Enterasys Networks, has revealed the deep distrust of the British public in using the Internet to shop online. Just half (50%) of the UK population have ever shopped online and 43% of us are put off shopping or banking on-line because of security concerns.

    The survey revealed that e-commerce still has a long way to go to earn the trust of the public. It showed that more men than women have bought something over the Internet (54% versus 47%) and that the younger we are the more confident that our information will remain confidential. The 16-24 year age group are most confident, with 84% professing to be happy with security compared to just 54% of the 65+ age group. The profile of the active e-shopper is typically a married ‘thirty-something', working full-time and living in London or the South of England.

    Our confidence levels in government agencies such as the local council is also worryingly low, with just 27% of the population scoring their security measures at one or two on a scale of five. Banks, on the other hand, can be a little more confident with 57% of us awarding them a four or five out of five for security.

    NHS National Programme for IT - Major Security Concerns

    Recently the "UK NHS Database" has been hitting the news. General Practitioners (GPs, family doctors) are stating in statistically significant droves that there is something very poor about security on it. Some sources speak of hackers, others of staff with nefarious intent. others speak of the ease of ID Theft.

    So how secure will this be? Will Margaret and Michael swap logins and passwords? Will Peter be blackmailed into leaking information? Will the NHS Database become a popular place for criminal gangs to infiltrate as they do in financial call centres?

    MiFID to cost £1bn! - FSA

    The Financial Services Authority on 24 November 2006 published a paper setting out its assessment of the overall costs and benefits for the financial services industry of implementing the Markets in Financial Instruments Directive (MiFID) in the UK.

    The overall impact of MiFID attempts to quantify, where possible, the benefits of MiFID in the UK, and sets these alongside the costs of implementation. The paper indicates that, under certain assumptions, MiFID could generate some £200 million per year in quantifiable ongoing benefits, which will be attributable mainly to reductions in compliance and transaction costs.

    The quantified one-off cost of implementing MiFID could be between £870 million and £1 billion with ongoing costs of around an extra £100 million a year. These are aggregate figures: it is likely that the distribution of costs and benefits will vary among firms depending on exactly how MiFID affects their business.

    Public Alerts - from is a "Neighbourhood Watch" campaign aimed at fighting badware. They seek to provide reliable, objective information about downloadable applications in order to help consumers to make better choices about what they download on to their computers. They aim to become a central clearinghouse for research on badware and the bad actors who spread it, and to become a focal point for developing collaborative, community-minded approaches to stopping badware.

    If you want to keep up to date then bookmark their news which we are publishing on Compliance and Privacy

    Webcast Replay Library

    Do you know just how many iDefense WebCasts registered members of Compliance and Privacy can see? The list is growing. Currently the library contains:

    • What You Need to Know about Data Execution Prevention (DEP)
    • Instant Messaging Threats
    • Wicked Rose and the NCPH Hacking Culture
    • Mobile Malicious Code: What Lies Ahead?
    • Attacking the Code: Source Code Auditing
    • Malicious Code Year-to-Date Trends
    • An Analysis of New Security Features Within Microsoft Vista and Internet Explorer 7
    • Voice-over-Internet Protocol (VoIP) Vulnerabilities
    • Emerging Economic Models for Vulnerability Research
    • Assessing Geographic Trends and Threats
    • Metafisher Trojan Activity
    • IDS Evasion Techniques and How to Prevent Them
    • The Evolution and Current State of DDoS Attacks
    • Security of the Google Desktop Toolbar
    • Money Mules: Sophisticated Global Cyber Criminal Operations
    • Social Engineering: The Effect on Information Security
    • Sober Worm Post-Mortem
    • Rootkits and Other Concealment Techniques in Malicious Code
    • The Rise of Online Islamic Extremist Propaganda
    • 2005: Intelligence Year-in-Review
    • Top 10 Spyware Applications
    • Exploitation Frameworks
    • Targeted Malicious Code Attacks

    If you or a colleague are looking at any of these areas you simply can't afford to miss this in depth research, delivered to your desktop, streamed. Pass this newsletter to your colleagues, either by forwarding it or by using the link at the foot. Highlight this section to them. Let them know that they will need to register in order to see the replays (which means they get their own copy of this newsletter), and your organisation will benefit hugely

    VeriSign Hits top 10 in CIO Insight's Vendor Value Study

    We were both surprised and pleased to observe that the our sponsors, VeriSign, appeared jointly in 10th place in the recent US survey 'CIO Insight 's annual Vendor Value study' with Motorola and McAfee, a notch ahead key rivals EMC (RSA),Checkpoint and Symantec in the CIO Insight Vendor Value 2006 survey.

    To see a high number of IT security vendors making it into the list shows not only the seriousness with which security is being taken, but the quality of the security vendors who made the cut.

    VeriSign Issues First Ever Extended Validation SSL Certificate

    New Groundbreaking EV Upgrader technology will enable all IE7 browsers on Microsoft Windows XP client systems to also display the green address bar

    VeriSign announced on 11 December 2006 the general availability of its Extended Validation (EV) SSL Certificates, which help protect users against online fraudulent activity by providing third party verification of a Web site's authenticity. These new certificates support Microsoft's IE7 and Vista operating system and also incorporate VeriSign's unique EV Upgrader technology enabling all Windows XP clients using IE7 to display the same green address bar and other interface enhancements as Windows Vista clients. VeriSign issued the first of these certificates to, one of the largest online retailers in North America.

    Macedonia, Blacklists, and the Security Solution

    With just over 2m inhabitants and independent only since 1991, the Former Yugoslav Republic of Macedonia is one of Europe 's younger and smaller states.

    The country has ambition enough. The European Union granted it EU candidate status in December 2005. Business leaders in the country want to boost economic, and especially, export performance. Macedonia 's main industries include wine, cheese, textile production and tourism.

    The Macedonian challenge is that it is a nation where education is strong, engineering and technology are valued and contribute to the economy strongly, and IT is essential. Being hamstrung by a bad reputation meant that Macedonian users were unable to indulge in eCommerce, could make no credit card payments online. They couldn't use eBay, PayPal, or any of the services we all take for granted.

    Macedonia was simply blacklisted. Unofficially blacklisted, maybe, but a blacklist is a blacklist. That it was an unfair situation was irrelevant to getting blacklists lifted, because unofficial blacklists tend to have no removal or appeal process.

    Major Industry Presentations now available

    Our sponsors VeriSign have been busy participating in many events this quarter here is a summary of some of the highlights with links to a number of presentations delivered.

    • RSA Conference 2006, Nice, Acropolis , France 23-25 October 2006
    • Tackling Organised Crime in Partnership, Victoria Park Plaza , London , UK - 22nd - 23rd November 2006
    • Combating Online Banking fraud- 27th November 2006, IOD, London, UK

    Quick Links...


    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.