 |
|
VeriSign Security Review
|
August 2006
The Computer Security Institute (CSI) and the Computer Intrusion Squad
of the San Francisco Federal Bureau of Investigation (FBI) recently
released a report on their findings from a joint survey conducted over
the last 11 years on computer crime and security. VeriSign encourages
all customers and newsletter subscribers to read this report. Click
here to download this comprehensive 29-page report from the CSI website.
In this issue:
Hot Topics
Monthly Threat
Summary
- Microsoft Corp.
Security Bulletin set a record in terms of the total number of vulnerabilities
addressed and the number of vulnerabilities labeled as Critical (15
this month as opposed to 11 last month). Of these vulnerabilities, security
experts consider MS06-040 to be the most critical and it should be patched
immediately.
News from VeriSign
- VeriSign to Secure
WiMAX Standards Wireless Broadband Networks
- iPay Technologies
Selects VeriSign Identity Protection Fraud Detection Service for Risk-Based
Authentication.
Security Events
- September. 7 - 8
Forrester Security Forum, Atlanta, CA
- September 11 Fall
VON, Boston, MA
- September 12 - 14
CTIA Wireless IT, Los Angeles, CA
- September 12 - 14
Executive Woman's Forum, Phoenix, AZ
FFIEC
Deadline Approaching for Financial Institutions
The FFIEC Guideline requiring all financial
institutions to outline a plan or begin implementation of multi factor
authentication tools by the end of 2006, has many organizations scrambling
to evaluate vendors and finalize plans.
For current and potential customers, VeriSign
offers the most comprehensive solution as well as the most trusted and
well-known consumer security brand. Financial institutions or any business
that wants to ensure the security of their online customers can turn
to VeriSign. For over 10 years, our one and only mission has been to
provide organizations with the latest world-class Network and Application
Security and Identity Protection solutions. Our history and expertise
make VeriSign uniquely qualified to be your security partner. Our solutions
provide:
Quick and Easy Deployment
- Complete out-of-the
box functionality (risk-engine, rules, intervention, management)
- Zero integration
and zero code deployment options
Proven Experience
- VeriSign is already
providing authentication services to over 500,000 Web sites: over 93%
of the Fortune 500, the world’s 40 largest banks, and 47 out of the
50 biggest e-commerce sites
A Complete Solution
- Comprehensive risk-based
authentication solution (detection, intervention, investigation
& case management)
Superior Intelligence
- State of the art
risk engine
To help you get the information you need, watch
the on-demand web seminar, Risk-Based
Assessment: A Practical Guide to Complying with FFIEC Authentication
Guidelines or download the new VeriSign
Identity Protection – Fraud Detection Service white paper.
Weather you’re just starting to evaluate vendors,
not sure how your proposed vendor measures up or if you’d like to compare
our products and services with your current solutions, give us a call
at 650-426-5310.
We’re confident we can provide you with the most comprehensive and easy
to deploy solution to meet FFIEC compliance and meet the end-of-year
deadline.
Back
to Top
Take
a Proactive Approach to Risk Management
The foundation for an effective risk management
program is an understanding and assessment of an organization’s internal
and external threats. We’ve created a 6-minute video that explains these
threats and how you can proactively manage your risk, monitor compliance
and most importantly – identify and mitigate security threats in real time. Download The
Life of a Threat video in Windows Media or QuickTime
format.
Back
to Top
US
Ratifies Council of Europe Convention on Cybercrime
On Aug. 3, 2006, the United States Senate ratified
the Council of Europe Convention on Cybercrime, a multinational treaty
that attempts to foster cooperation on prosecuting Internet-based crimes.
Although some privacy organizations are protesting the treaty, overall,
the response to America's ratification of the treaty, especially commentary
from leading American security companies, has been quite positive.
To-date, 38 counties have signed the treaty
that requires that member countries establish as criminal offenses a
wide variety of cyber-related activity, including "the access to
the whole or any part of a computer system without right…when committed
intentionally, the interception without right, made by technical means,
of non-public transmissions of computer data to, from or within a computer
system…the damaging, deletion, deterioration, alteration or suppression
of computer data without right" (ibid.)., child pornography and
other offenses. It also requires that signatory countries establish
procedures for dealing with these crimes and provides a prosecutorial
framework for international cooperation between signatory countries.
The real impact of ratifying the treaty for
the US will be the resultant cooperation with other countries, which
will help authorities to track and prosecute cybercrimes originating
from countries that target the US.
Computer security companies are practically
unanimous in praising the Senate's ratification of the treaty. For example,
the Cyber Security Industry Alliance (https://www.csialliance.org/),
a computer-security advocacy group, released a statement in which Executive
Director Paul Kurtz said, "Today marks an important milestone in
the fight against international cybercrime. Through its support of the
cybercrime treaty, the US is strengthening international laws and empowering
law enforcement authorities to protect our information-based systems,
(see “CSIA Applauds Ratification of Cybercrime Treaty,” Cyber Security
Industry Alliance Press Release, August 4, 2006).
However, the Senate's ratification of the treaty
has also drawn criticism, primarily from privacy groups. For example,
the Electronic Frontier Foundation's (EFF) statement on the ratification
calls that treaty the "World's Worst Internet Law" and claims
that "the treaty requires that the US government help enforce other
countries' 'cybercrime' laws, even if the act being prosecuted is not
illegal in the United States.” This reportedly means, in EFF’s view,
that “countries with laws limiting free speech on the Net could oblige
the FBI to uncover the identities of anonymous American critics or monitor
their communications on behalf of foreign governments." The EFF
also claims that "American ISPs would be obliged to obey other
jurisdictions' requests to log their users' behavior without due process
or compensation" (see "Critics Clash Over Cybercrime Convention," Infoworld,
Aug. 7, 2006).
Complaints about the treaty by privacy groups
seem overblown, though. The EFF's view that the treaty requires the
US to assist in the prosecution of cybercrimes that are not illegal
in this country is irrelevant, since other signatories to the treaty
have criminalized few, if any, activities that the US has not deemed
to be illegal (if countries with tighter restrictions on Internet usage,
such as China, join the treaty, this could become more problematic).
US officials have taken freedom-of-speech concerns into account and
say that the treaty will not override constitutional protections. For
example, the US opted out of the "hate speech" component of
the treaty since many European countries have much tougher restrictions
on freedom of speech than the US.
For corporations whose activities are possibly
impacted by the treaty, the effects will most likely be minimal, since
the bulk of activities stipulated by the treaty are best practices anyway.
Thus, if adhered to by the signatory companies, the treaty provides
significant benefits and no major additional burdens.
Back
to Top
Monthly Threat Summary
The Aug. 8 Microsoft Corp. Security
Bulletin set a record in terms of the total number of vulnerabilities
addressed (23; the previous record was last month's 21) and the number
of vulnerabilities labeled as Critical (15 this month as opposed to
11 last month). Of these vulnerabilities, security experts consider
MS06-040 to be the most critical and it should be patched immediately.
Two other events of note over the past two
weeks was the DEFCON convention, held in Las Vegas from Aug. 4-6, and
the Black Hat convention, held in the same town from July 29-Aug. 1.
Although these conferences are as much (or even more) social gatherings
as they are professional conferences, at both of these events announced
a number of new vulnerabilities and attack techniques, which will doubtless
inspire budding hackers to emulate and improve upon them.
One potentially significant issue that emerged
at DEFCON was the announcement of a means to – in theory at least –
use a BlackBerry to hack into a corporate network. The technique involves
connecting to a malicious host using a BlackBerry device, then connecting
from the malicious host (located on the Internet) to the Rim Server
residing on the internal network (Hines, Matthew, "Researchers
Warn of Serious BlackBerry Vulnerability," eWeek Aug. 8, 2006.
Malicious cyber activity in the near future
are likely to revolve around 1) the vulnerabilities announced in the
latest Microsoft Security Bulletin, as hackers attempt to exploit the
window of opportunity to develop attack methods before user’s computers
are patched, and 2) the attack techniques publicized in the DEFCON/Black
Hat conferences, which will likewise encourage malicious actors to attempt
to emulate them. Of these, the most troubling, again, is Microsoft’s
announcement of the MS06-040 vulnerability; at least one bot that targets
the vulnerability has already been released, and more malicious codes
are almost certainly soon to follow.
Back
to Top
News
from VeriSign
VeriSign to Secure WiMAX Standards Wireless Broadband Networks
VeriSign has been selected by the WiMAX Forum™, the exclusive global
organization dedicated to certifying the interoperability of wireless
broadband access products based on global standards, to provide PKI-related
services to all WiMAX Forum Certified™ solutions based on IEEE 802.16-2004
and ETSI HiperMAN 1.2.1. Read
the release.
iPay Technologies Selects VeriSign Identity Protection Fraud Detection
Service for Risk-Based Authentication
iPay Technologies selected the VeriSign® Identity Protection (VIP) Fraud
Detection Service to provide online security for its customers and financial
institutions. Under terms of the agreement, iPay Technologies will deploy
the VIP Fraud Detection Service to secure customer login and transaction
information Read
the release.
Back to Top
Security Events
September
7 - 8 Forrester Security Forum, Atlanta, CA
Hear Ken Dunham, Director
of Rapid Response Team, VeriSign iDEFENSE as he gives his keynote presentation:
2006 Cyber-Threatscape - A Review of the Top Threats, Trends, and Issues
Important to Computer Security Leaders, on Thursday, September 7, 11:00
a.m.
September
11 Fall VON, Boston, MA
Tom Kershaw, VeriSign
Vice President of VoIP Services, will present: Creating Applications
in an IMS World, on September 12 at 4:30 p.m. On September 14
at 2:00 p.m., he’ll present Video Ringtones. If you’re attending VON,
please visit us at booth #349.
September
12 - 14 CTIA Wireless IT, Los Angeles, CA
If you’re attending this
year’s CTIA show, please stop by VeriSign booth #1047 at the Los Angeles
Convention Center.
September
12 - 14 Executive Woman's Forum, Phoenix, AZ
VeriSign is proud to be
a Diamond Sponsor of this premier event that brings together elite female
information security executives and practitioners.
Back
to Top
|
|
Worldwide Sites
