Brian Pennington

A blog about Cyber Security & Compliance


August 2011

Information rights should be embedded in schools, says ICO

The importance of data privacy and access to official information should be embedded in the formal education process, the Information Commissioner’s Office (ICO) said today, as it launched a research project to explore ways of getting information rights issues covered in primary and secondary education systems in the UK.

The research project aims to ensure that young people are aware of the threats to their privacy and how to protect themselves, understanding the practical and legal safeguards that can help them. The project will also explore how young people can be encouraged to exploit the increasing availability of public information to their advantage.

The ICO has already led a number of initiatives aimed at reaching young people including a youth area on its website, a data protection DVD for secondary schools, a presence on online community games website Habbo Hotel, and an annual student brand ambassador campaign. However, expert opinion suggests that these initiatives have only limited chances of success unless the education of information rights becomes a more mainstream component of a young person’s formal education.

Research undertaken as part of law firm Speechly Bircham’s youth data protection campaign ‘i in online’ has found that, of over 4,000 young people questioned, 88% of secondary school respondents and 39% of primary school children have a profile on a social networking site.

Despite this, 60% of respondents hadn’t read the privacy policies of the networking sites they use, 32% didn’t know what a privacy policy was, and 23% said they didn’t know where to find it.

Jonathan Bamford, Head of Strategic Liaison at the ICO, said:

Young people today are growing up in an age where an ever increasing amount of information is held about them. It is vital that they understand their privacy rights and how to exercise them.

“We are also now seeing a big move towards transparency with more official information being released than ever before. The Freedom of Information Act is an important tool in holding decision makers to account. By being aware of their rights to access information, young people will feel more empowered to ask important questions about the things that matter to them – be it about their local leisure centre, or what the government is doing on university tuition fees or the environment.

“While we appreciate that some information rights issues are already covered in specific subjects encompassing IT and law, we want to see a move towards schools embedding information rights issues as part of the mainstream education process – giving young people skills that will serve them well throughout their adult lives.

The ICO is now inviting tenders for a research partner to help examine the current landscape and make recommendations.


RSA’s August Online Fraud Report

Image by jan.gosmann via Flickr

Below is a summary of RSA Security’s August 2011 Fraud Report

Your package has arrived,” screamed the email header which landed in the email inbox of countless business professionals around the world. Open it up, and you will find information about a fictitious UPS or FedEx shipment scheduled to arrive.

Simply click on the link or the attachment to track the details and you will get served up with the latest version of the SpyEye Trojan on your computer – and most likely without even knowing it.

This is just one of many spear phishing email attacks targeted at organizations and their employees on a daily basis. In fact, phishing emails are landing in corporate in boxes around the world. In a recent study, 45% of employees stated they had received a phishing email at work. Most often, these attacks are launched by financially motivated criminals that target finance or accounting departments in an attempt to get access to business banking accounts via a Trojan. Yet, most of these malware strains are capable of doing a lot more. For example, one plug-in being developed in the underground today features an Outlook grabber that will allow criminals to steal emails directly from the infected user’s inbox.


Identification and analysis of a Trojan is the first critical step in the attack shutdown process. Once a malware strain has been analyzed and deemed malicious, the appropriate steps should be taken to initiate blocking or shutdown of identified infection, drop and update points. The malware associated with this particular attack was confirmed to be the SpyEye Trojan and contained advanced man-in-the-browser functionality. The Trojan contained a list of trigger URLs targeting over 200 organizations as well as automated cashout capabilities to mule accounts.

By blocking access to Trojan resources, the risk to organizations is greatly reduced. Blocked infection points reduce the chances of additional victims getting infected. Blocked update points decrease the chances of infected victims being redirected to new, updated locations. Blocked drop points effectively prevent any victims who might already be infected from transmitting information to a criminal.

Shutdown of Trojan communication resources is more complicated, however. Issues such as foreign working hours, foreign holidays and language barriers must be taken into consideration. In addition, malware is much less “visible” than phishing and more complicated due to the thousands of variants that exist. Before shutdown can begin, there are several factors to consider, such as the ability to recover credentials and evolution of the malware itself.

Credential recovery and forensics is especially key in attempting to extract additional valuable information such as lists of compromised personal information, as well as counts of submitted information, the IP address of victims, the malware binaries and more. Recovery and forensics is also important for working with the law enforcement community. Due to a lack of resources, some law enforcement agencies may not handle a case without proof that it is big enough to potentially harm a large number of victims. In this particular attack, shutdown was performed for the infection, update and drop points.

To date, RSA has shut down over 450,000 phishing attacks and 80,000 Trojan attacks on behalf of customers worldwide.

Phishing Attacks per Month

Phishing attacks identified by RSA hit a new record high of 25,191 in July. The AFCC has witnessed an overall increase in phishing attacks over the past few months. This increase that can be partially attributed to repeated attacks on a group of large financial institutions, which have been heavily targeted recently. Hijacked websites remain the most commonly used method of hosting phishing attacks.

Number of Brands Attacked

Last month, the number of brands attacked decreased by eight percent, dropping from 349 in June to 321 in July. In addition, 13 brands encountered their first phishing attack last month.

U.S. Bank Types Attacked

The portion of nationwide U.S. banks targeted by phishing dropped by two percent in July, yet this sector still remains as the most highly targeted by cybercriminals. Nationwide banks are likely considered more lucrative by phishers as their customer base is widely dispersed. Since most phishing attacks are distributed via massive spam mailing lists that are not region-specific, the probability of a spam recipient being a consumer of a nationwide brand is likely to be higher.

Top Hosting Countries

The U.S. hosted 53 percent of worldwide attacks in July while Canada and Germany each hosted five percent and the UK hosted four percent.

Top Countries by Attack Volume

The U.S. and the UK remain the countries targeted by the largest volume of attacks – accounting for over 75 percent of attacks in July. Interestingly, Brazil was one of the top three countries targeted by phishing in July – experiencing 5 percent of the attack volume last month.

Top Countries by Attack Brands

The top 10 countries by attacked brands stayed the same in July. Brands in the U.S. and UK are still most preferred by cybercriminals, accounting for over 40 percent of targeted brands last month followed by Italy, Australia, Brazil, Canada, and India.

The full report can be found here.

Conflicker is still the most common virus

Image representing Sophos as depicted in Crunc...
Image via CrunchBase

Three years on and Conficker (also known as Downup, Downadup and Kido) is still the most common virus threat.

Since November 2008 it’s infected computers across the globe, consuming network traffic and opening a back door to other malware attacks.

Conficker exploits unprotected computers and weak passwords.  Today it’s often spread through infected USB storage devices.

To prevent infection, Sophos recommends:

  • Apply the MS08-67 patch
  • Disable file and print sharing
  • Strengthen your password
  • Turn off autorun for USB devices
  • Apply a device control policy

Sophos have released a FREE Conflicker detection and removal tool. Dowload it HERE, registration required.


An Insurers perspective of Cyber Crime

Beazley, an Insurance Company recently issued a press release on the threat to business from Cyber Crime. Their perspective supports those of the leading IT Security researchers.

Beazley quote some interesting research to support their release:

  • According to a survey by the Identity Theft Resource Center ® of 226 security breaches(1), 44 percent of the victims in the first half of this year (2011) were businesses with assets of under $35 million, which lost in aggregate 3.6 million customer records.
  • Verizon’s 2011 data breach report of 759 occurrences conducted in collaboration with the US Secret Service shows 63 percent of last year’s breaches involved organizations with no more than 100 employees.(2)

Beazley state that most small businesses currently go without insurance coverage due to a variety of misconceptions about the scale of the risk and the scope of their existing insurance protections.

Jamie Orye, an underwriter who manages the US Private Enterprise/Small Business Technology team for Beazley, said: “Cyber criminals view small businesses as easier targets than their larger, more technologically sophisticated counterparts. They have limited resources to protect themselves, and with more modest incomes, these small businesses have more to lose.”

Among the misconceptions frequently relayed to Beazley underwriters by small business owners or their brokers are:

  • The cost of responding to impacted clients is simply a postage stamp per breached record.
  • Our information is well-protected by our IT consultants.
  • Our employees would not act maliciously and know how to protect our data.
  • Security breaches are covered by our general liability policy.

Orye urges small business owners to talk to their brokers to ensure their coverage extends to cover notification costs, which general liability insurance typically does not. Notification costs can be heavy as they must meet the standards prescribed by a bewildering array of state and federal laws.

Firms should also have resources available to conduct proper forensic investigations to ensure they notify clients only when needed.

Orye gave a recent example of a professional services firm that had their server hacked. The firm spent $100,000 on notifying clients that their sensitive data – such as social security numbers – might have been exposed. However, the firm later discovered none of the exposed data fell into this sensitive category.

Firms should also realize they may not be off the hook for a breach just because their data storage and management needs are outsourced. They will need to find out if their IT service providers are covered for data privacy issues,” said Orye.

Beazley’s Reasearch Sources:

(1) The IDentity Theft Research Center can be found here. The quoted research was from 7/5/2011

(2) Verizon Research PDF can he found here.

Beazley’s website can be found here.


Which? Tips for Online Banking

Security token devices
Image via Wikipedia

After a recent review of online banking Which? the consumer guide people have produced a list of “Top online security tips”.

  1. Regularly log in and check your statement for unusual transactions. If you spot anything unfamiliar
    immediately contact your bank.
  2. Avoid public computers for online banking, make sure your wifi-network is secure, and don’t open emails from unknown sources as they may contain a virus
  3. Install the latest anti-virus and anti-spyware software, use an effective firewall, and ask your bank if they offer ‘Rapport‘ software which can be used in addition to your usual software.
  4. Keep both your operating system (such as Windows) and your browser (such as Internet Explorer or Firefox) up to date and set your computer to install updates automatically. If you receive a suspicious email purporting to be from your bank forward it to reports

Learn more about online banking security by reading the Which? “online guide to protecting your online ID” here and the Which? “How to bank online safely” here.


PCI Security Standards Council Exceeds 100 Members in Europe

Credit card
Image via Wikipedia

In advance of annual PCI Community Meeting, Council celebrates more than 100 European companies as key contributors to the ongoing development of the PCI Standards.

The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), today announced a milestone in ongoing momentum and global participation – more than 100 European companies are now PCI Participating Organizations, promising a strong showing for this year’s PCI European Community Meeting on October 17-19, 2011, in London, England.

The Council is made up of more than 600 global Participating Organizations (POs) worldwide. Continual global involvement not only benefits stakeholder organizations but also the larger payment security community, by ensuring the diverse and unique industry and geographic perspectives of those across the payment chain are represented in the work of the Council.

European participation – including merchants, financial institutions and processors from around the continent – has been a key factor in the Council’s analysis and guidance on technologies in the payment environment, such as call center recording technologies and EMV, as well as the development of critical resources like the Prioritized Approach framework.

This year, Participating Organizations also elected a new Board of Advisors, with 7 of the 21 seats being represented by European companies, a testimony to the growing European involvement in the Council and the work and collaboration that is taking place in Europe to drive payment security forward.

”As a member of the Council since 2007, we are pleased to see the growing awareness around payment security in the UK and European regions over the last few years,” said PCI SSC Board of Advisors member Philip Morton, information security compliance manager, British Airways. “We are excited to bring our geographic and industry perspectives to the Council in serving on the Board this term and working with the PCI community to continue to drive increased protection of cardholder data in Europe and globally.”

Twenty-five percent of the growth among European POs has occurred in the last year, since the Council brought on European Director Jeremy King to concentrate PCI efforts in the region. This number has more than tripled since the first year of the Council’s existence.

“Counter to those who suggested that the issue of PCI Standards and global card security were U.S. centric initiatives, our ongoing growth in participation in Europe illustrates the increase in awareness, focus and feedback we are achieving globally,” said Jeremy King, European director, PCI Security Standards Council. “I am very excited about the growing number of European-based organizations who will join us at this year’s European Community Meeting. As we kick off our feedback period for the PCI Standards, I look forward to engaging this core group of stakeholders in our global standards lifecycle process. Together, these organizations will help influence the Council’s agenda and the direction and evolution of the PCI Standards in the coming years.”


Exactly how many Merchants are PCI DSS compliant?

Credit cards
Image via Wikipedia

The number of Merchants who are compliant to the Payment Card Industry Data Security Standard (PCI DSS) vary from continent to continent, country to country but the figures released by VISA for the US make interesting reading.

The table below shows the results for the US up to the 30th June 2011 as per the website.

Cardholder Information Security Programme (CISP) Category (Visa Transactions per year) Estimated Population Size Estimated % of
Visa Transactions
Compliance Validated
Validated Not  storing Prohibited Data
Level 1   Merchant (>6M) 377 50% 97% 100%
Level 2 Merchant (1-6M) 881 13% 96% 100%
Level 3 Merchant (e-commerce only 20,000-1M) 3,024 <5% 60% N/A
Level 4 Merchant (<1M) ~5,000,000 32% Moderate * TBD
VisaNet Processor (Direct Connection) 62 100% 94% High
Agent (Downstream) 1,262 N/A 83% High

*Level 4 compliance is moderate among stand-alone terminal merchants, but lower among merchants using integrated payment applications

Since the PCI DSS standard was released and enforced the Level 1 Merchants has been the main focus of the Card Issuing companies and of course, the QSAs because, as the table above shows, they represent the largest percentage of transactions for a single group and are a small enough number to easily manage. This focus is why Visa can report a near 100% validation rate for Level 1 Merchants.

The largest risk group by number of business are the Level 4 Merchants with over 5,000,000 in the US alone.

Level 4 Merchants have not yet achieved a % on the Visa chart. This is probably because they do not need to have their Self Assessment Questionnaire (SAQ) validated by and external party e.g. a QSA, except in rare circumstances. Reliance on the Merchants ability to understand the requirements of PCI DSS and to be able to put in place the processes, policies and protections required to protect Credit Card Data requires a lot of “faith” by Visa.

The majority of credit card breaches happen in Level 4 Merchants, e.g. restaurants and hotels, which is why Visa is pushing EMV on a world-wide basis.

All in all it looks like the majority of Merchants are PCI DSS compliant, which means the programme is doing some good…


Good news for Merchants as the PCI Security Standards Council releases Tokenization guidance

Information Security Wordle: PCI Data Security...
Image by purpleslog via Flickr

On August the 12th The Payment Card Industry Security Standards Council (PCI SSC) published guidelines to help Merchants and credit card processors take advantage of “Tokenization“.

The PCI SSC definition of Tokenization:  “Tokenization technology replaces a Primary Account Number (PAN) with a surrogate value called a “token”. Specific to PCI DSS, this involves substituting sensitive PAN values with non-sensitive token values, meaning a properly implemented Tokenization solution can reduce or remove the need for a merchant to retain PAN in their environment once the initial transaction has been processed.

Merchants are ultimately responsible for the proper implementation of any Tokenization solution they use, including its deployment and operation, and validation of its Tokenization environment as part of their annual Payment Card Industry Data Security Standard (PCI DSS) compliance assessment.

Organizations should carefully evaluate any solution before implementation to fully understand the potential impact to their CDE (Cardholder Data Environment). The paper helps guide merchants through this process by:

  • Outlining explicit scoping elements for consideration
  • Providing recommendations on scope reduction, the tokenization process itself, deployment and operation factors
  • Detailing best practices for selecting a tokenization solution Defining the domains, or areas that specific controls need to be applied and validated, where tokenization could potentially minimize the card data environment

This additional guidance also benefits tokenization service providers and assessors by informing them on how the technology can help their merchant customers limit or eliminate system components that process, store, or transmit Cardholder data, and reduce the scope of the CDE and thus the scope of a PCI DSS assessment.

“We’ve continued the process to investigate these technologies and ways that the community can use them to potentially increase the security of their PCI DSS efforts” said Bob Russo, general manager of the PCI Security Standards Council. “These specific guidelines provide a starting point for merchants when considering tokenization implementations. The Council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements.”

Jeremy King, European director of the PCI SSC, said the process is challenging because not all cards have a 16-digit primary account number (PAN). Some Tokenization methods are more applicable than others according to the card in question. Some tokens try to preserve the format of the original PAN in order to maintain compatibility with internal processing applications, while other approaches may generate a new truncated or randomised number, King said.

Systems that allow you to get back to the PAN need to be properly protected, and are in scope,” King said.

Tokenisation can have a dramatic reduction on the requirements of PCI DSS. In simple terms if a Merchant has no credit card data stored the scope of PCI DSS is reduced.

For the majority of Merchants reducing the scope of PCI DSS by not storing Credit Card Data can mean the difference between a relatively simple Self Assessment Questionnaire (SAQ) e.g. SAQ A and the highly complex and extremely difficult SAQ D.

The PCI SSC Tokenization Information Supplement can be downloaded here.


Most Small Business Owners do not treat Fraud as a Top Priority – survey results

New logo for TD Bank
Image via Wikipedia

On the 15th August 2011 TD Bank launched the results of a survey that indicates small businesses (sub $5 million) do not have Business Fraud as their top priority, in fact only 1% of survey respondents said it was a top priority.

TD Bank’s survey polled 300 small business executives in its Maine to Florida area  to understand their current awareness of small business fraud, as well as their top external concerns over the next 12 months.

“It’s encouraging to see that small business owners are taking steps to protect their business, but fraud protection should be a high priority and it pays to be vigilant,” says Fred Graziano, Head of Commercial and Small Business Banking at TD Bank. “Given the influx of new digital technologies and operational tools available for small business owners, it’s increasingly important to learn about the latest trends and techniques used by criminals, and to be more diligent in defending against fraud.”

Graziano and Robert Dunlop, TD Bank Director of Corporate Security and Investigations, offer the following advice to small business owners to protect their business from fraud:

Manage finances  using secure online banking.

Online banking is a secure and essential tool for any small business  owner. The benefits of this useful service include 24/7 access to real-time information, account transfers and payment management. Small business owners can easily schedule and manage payments, submit remittance information, and have an audit trail of all transactions.

“It’s important for small business owners to check their account activity regularly,” says Graziano. “Having instant access to payment history helps businesses closely monitor their spending for any discrepancies. If there are any, contact your financial institution immediately.”

Protect computer systems and practice online awareness.

“Being complacent about cyber protection can lead to the compromise of critical information and detrimental consequences for a business,” says Dunlop. “Every computer at home or in the office should have installed and regularly updated firewalls and anti-virus software.”

While conducting business online, be aware of “phishing” – an electronic scam that attempts to obtain confidential personal or financial information from its target. It takes the form of a fake message, usually an e-mail, which appears to be from a financial institution or service provider. While some e-mails are easily identified as fraudulent, including some containing enticing headlines, others may appear to come from a legitimate address.

“If an offer received via e-mail or on a website sounds too good to be true, it probably is,” says Graziano.

Safely handle sensitive documents and financial statements.

“The web isn’t the only place where thieves can steal valuable information from a small business,” says Dunlop. “Employees and outside parties can steal important mail, credit card information or checks, and commit fraud.”

Printed financial statements, social security numbers and other sensitive papers should be disposed properly using a shredder or saved in a securely locked device.

“To avoid the hassle of handling several papers, banks such as TD Bank allow customers to opt out of paper statements and receive online statements instead,” says Graziano.

According to Dunlop, technological advances have even put photocopiers at risk, “Most photocopiers built since 2002 contain a hard drive that stores every image scanned, copied or emailed. When a business sells or upgrades their copier, the machine is usually cleaned up and reconditioned, but often times the hard drive is left intact and is not scrubbed,” says Dunlop.

Once resold, it’s possible for anyone to simply pop out the hard drive and access, and sell confidential information such as income tax and bank records, social security numbers, and birth and medical records.

“Businesses need to be aware of this and treat documents in the standard office copier just as they would any printed document, and guard that information accordingly,” says Dunlop.

Obtain fidelity insurance.

“Crime and fraud-related losses generally aren’t covered by property insurance policies, so it’s important to protect money losses from workplace fraud,” says Dunlop.

Fidelity insurance protects your business against criminal acts such as robbery, embezzlement, forgery and credit card fraud. Liabilities secured under this type of insurance usually include money loss coverage (burglary or theft) and employee dishonesty (embezzlement and forgery).

Search for low rates and partner with a broker, such as TD Insurance, who can help shop for the best deal.

Incorporate appropriate checks and balances.

Every small business owner should perform an internal review and assessment of company finances on a monthly basis. Make sure payment amounts match all invoices and check for any missing documents.  “Running random audits or having a third party audit the books once a year will show employees you are serious about fraud and deter them from committing deceptive acts,” says Graziano.

TD Bank advise that if you think you are a victim of business fraud, immediately contact the fraud department of any of the three major credit bureaus to place a fraud alert on your credit file. Also, contact your banks, credit card issuers and other creditors where your finances and information are available.

More information on TD Banks Security can be found here.


The ICO judgment on Lush after the breach of 5,000 people’s bank details

Christopher Graham, the UK Information Commiss...
Image via Wikipedia

 7 months after the disclosure of the data breach at Lush Cosmetics Ltd the Information Commissioners Office (ICO) has delivered its findings and has imposed its actions against Lush.

The ICO has announced:- 

Cosmetics retailer Lush breached the Data Protection Act after the security of its website was compromised for a four month period, the Information Commissioner’s Office (ICO) said today. The breach, which occurred between October 2010 and January 2011, meant that hackers were able to access the payment details of 5,000 customers who had previously hopped on the company’s website.

As a result of the breach, the ICO has required Lush to sign an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard. The ICO is taking this opportunity to warn online retailers that if they do not adopt this standard, or provide equivalent protection when processing customers’ credit card details, they risk enforcement action from the ICO.

Lush discovered the security lapse in January 2011 after receiving complaints from 95 customers who had been the victim of card fraud. After making enquiries, Lush found out that their website had been subject to a hacking incident which had allowed hackers to access their customers’ payment details. On uncovering the incident, the security of Lush’s website was immediately restored.

The ICO’s investigation found that, although the company had measures in place to keep customers’ payment details secure, they were not sufficient to prevent a determined attack on their website. The retailer’s methods of recording suspicious activity on their website were also insufficient, which delayed the time it took them to identify the security breach.

Acting Head of Enforcement, Sally Anne Poole said: “With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.

“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back. This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

Mark Constantine, Managing Director of Lush Cosmetics Ltd, has signed an undertaking committing the retailer to taking necessary steps, including that the company only stores the minimum amount of payment data necessary to receive payments, and that this information will not be kept for longer than is necessary. All future payments will also be managed by an external provider compliant with the Payment Card Industry Data Security Standard and the retailer will also make sure that appropriate technical and organisational measures are employed and maintained.

It is understood that Lush now uses Netittude to do penetration testing, Trustwave to secure its payments system, and RBS Worldpay to process transactions.

Related articles:-

25/2/2011 Lush once again trading

15/2/2011 Lush confirm their Australian Website has been hacked

Blog at

Up ↑

%d bloggers like this: