web analytics

SSL Review Part – II

May 15

Its been long I know, Its been 2 weeks since my last post was really busy with office work but as I said in my last post. I will try to write regularly about Security related things as I come across. To continue with my last blog post regarding SSL Review. Today, I am going to review Organization Vetted or Organization Verified SSL Certificate also called as OV SSL Certificate. Different vendors given it different brand name like Geotrust calls it as “True Business ID Certificate” while VeriSign calls it “Secure Site” or Comodo’s “Instant SSL Certificate” all vendors have given it different names.

Organization Vetted(OV) SSL Certificate

When SSL Certificate invented, they were issued against verification all organization documents.  As I read somewhere you have to provide as many documents as you are opening new back account or getting license to do certain business. This is medium trusted SSL Certificate not poorly issued Domain Vetted Certificate which requires only domain level authentication to get you unsafe SSL Certificate (Yes, Domain Vetted SSLs are untrusted).

OV SSL Certificate requires business documents and that means they are verified at certain level and you can trust them because it has verified organization which wants SSL Certificate not only domain level verification.

OV Requires certain documents which are as following. They may change Vendor to vendor.

1) Domain Verification if privacy protection is not that is not validated. You need to have privacy protection off

2) Third Party verification like Government Documents or Yello pages

3) Employee or issuer authorization letter by Organization.

There may be some more documents but above are generally requested by SSL Certificate vendors. organization vetted SSL Certificate generally takes 2 to 3 days to issue and you can install. This is general time given by vendors like Geotrust, Comodo, VeriSign, Trustwave, Entrust etc.

SSL Certificate are most required for person having e-commerce website and they are requested when they want PCI Compliance. SSL Certificates will help you to secure your clients data and Organization Vetted SSL Certificate is one of the best solution. The Best Solution which I like the most is EV or Extended Validation process which requires very high verification process or organization and that means it is secure. Organization Vetted SSL Certificate helps your customers to prevent against phishing attacks but Extended Validation will help you to make them to trust you more.

I will review Extended Validation soon and will provide you more information.

Write is Gaurav Maniar (IT Manager, SSL Support Expert @ www.thesslstore.com, MCITP, MCSE, MCSA)

Read More

Comodo RA Compromised

Mar 31

I know it is too late to write about this but I came to know about this couple of days ago.

Comodo has confirmed that three registration authorities (RAs) affiliated with the company were compromised first reported on 23rd March 2011 by Iranian hacker to get fraud SSL Certificate for yahoo, google, Microsoft and Skype.

The Certificate was signed by third party without sufficient proof of identity and other information required.

The certificates could have been used by a fraudster to create a fake website that was able to bypass a browser’s validity mechanism and appear like the real thing to users.

Comodo has updated their most recent CRL (Certificate Revocation List) with removal of SSL Certificate.

Customers don’t need to do anything since the update is typically loaded automatically. As well, web browsers with the Online Certificate Status Protocol (OCSP) enabled will block the phony certificates from being used. Researcher Jacob Appelbaum first reported the problem to Comodo but withheld disclosure until the certification authority could remediate the issue.

The intruder, calling himself “Comodohacker,” has posted several lengthy documents on the text-sharing site Pastebin, offering up details about the incident. In the latest document, posted Tuesday, the hacker said it was a difficult infiltration that took time.

“From listed resellers of Comodo, I owned 3 of them,” the hacker wrote.

While rogue certificates were quickly revoked, the incident was serious enough to prompt Comodo to institute new controls and for the major web browsers – Mozilla’s Firefox, Microsoft’s Internet Explorer and Google’s Chrome – to issue updates to their browsers last week.

In response to rampant concerns about the trustworthiness of its certificate generation system from customers, browser companies and others in the security community, Comodo’s Alden said the company is in the process of rolling out hardware-based, two-factor authentication for its resellers to ward off attacks in the future.

The process could take several weeks to complete and, in the meantime, Comodo has promised to review all reseller validation work prior to issuing any certificates.

Mozilla, in particular, criticized Comodo for allowing RAs to issue certificates directly from the root that the company maintains, a practice that eliminated some possible attack mitigations. In response, Comodo said it plans to move away from this practice.

 

Read More

Dechert – Telephone Monitoring: Dos and Don'ts

Jan 04

Renzo Marchini, of Dechert LLPAn article by Renzo Marchini, Of Dechert LLP

It is widely (and incorrectly!) believed that it is unlawful in the UK in all circumstances to monitor and record telephone calls without drawing this to the attention of the parties to the call. There are in fact broad exceptions which are relevant to many businesses which do allow such activities without obtaining consent.

There are several reasons why businesses may wish to monitor or record telephone use for the purpose of its business. Often the rationale is quality control or even compliance by an employee with certain regulations, but the monitoring may also be useful for ensuring that employees are not calling friends in Australia at the businesses expense or otherwise using the system contrary to your policies. The law must however balance these goals against the need to protect employees as well as external persons from “snooping” and misuse of such data.

There are two principle legal areas of relevance; namely, the law on “interception” of communications stemming from the Regulation of Investigatory Powers Act 2000 (“RIPA“) and the Data Protection Act 1998 (“DPA“).

RIPA puts constraints on when a person may make an “interception of a communication in the course of transmission”. RIPA is wide in scope and, in particular, “interception” includes a “monitoring or interference” with a private telecommunications system which makes the communication available to someone other than the sender or recipient of the communication. Interestingly, this includes the opening of previously unopened emails, but for the purpose of this article, it includes listening in on and recording telephone calls.

Any interception would be, broadly, unlawful (in fact, criminal) unless the consent of both the sender and recipient is obtained, or alternatively the communication falls within an exception defined in the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the “Regulations“). Under the Regulations, the exceptions that are relevant to most businesses are where monitoring or recording communications are carried out:

to ascertain compliance with regulatory requirements, practices or procedures;to ascertain or demonstrate employee standards;for the purpose of preventing or detecting crime;for the purpose of detecting unauthorised use of the telecommunications system; orto ensure the effective operation of the system.

In addition, monitoring (but not recording) communications may be carried out without consent:

for the purpose of determining whether they are communications relevant to the business; orto monitor communications to confidential anonymous counseling or support helplines.

In addition, in all cases where consent is not obtained, the interception must be of a communication relevant to the business.

This is all pretty wide, but there are two easy traps to fall into.

First, a business must not intercept private communications. Having said that what happens if what you thought was a business communication turns out to be private? It is easy to envisage a personal communication being inadvertently intercepted in the course of a permitted interception. Where this is the case there is no offence where the situation is unavoidable in the context of permitted monitoring. In other words, if in the course of the monitoring (or the playing back of a recording) it becomes apparent that the monitored communication is in fact private, the interception (or playing back) should cease.

Consistent with the situation under the data protection regime, below, an employer must have made all reasonable efforts to inform all employees that an interception of their telecommunications may take place.

The recording of phone calls will also be governed by the DPA, as the information recorded will be “personal data” of an employee and (possibly) “personal data” of the external person (as the recording could be used to identify the caller). (Interestingly, merely listening in on calls does not raise a DPA issue, but making notes of what is discussed might.)

As such, the data protection principles set out in Schedule 1 of the DPA must be adhered to. In particular, all processing of personal data must be “fair”. The one difficult issue here (which is why you often hear notices in relation to recorded calls) is that to be “fair” the following information must be provided to the individual, “so far as is practicable”:

information regarding the identity of the “data controller” (broadly, the party ‘processing’ the data) and the purpose for which the information is being processed.further information as is necessary, having regard to the specific circumstances in which data is processed, to enable the processing to be “fair”.

Both the requirement that information only be provided “so far as is practicable” and the vague requirement to provide information which is “necessary” to be “fair” require an exercise of judgment and explains why some people do provide notices of recordings of calls.

The analysis above applies to employees as well as external persons, but for data applicable to employees in particular, the Information Commissioner has published a detailed Employment Practices Data Protection Code (“Code“) which covers, amongst other things recording and monitoring of employee calls. Although the Code is not strictly binding, the Information Commissioner has been clear that enforcement of the Code will be based on breach of the DPA itself.

The Code sets out the core principles for monitoring of employee calls. Three key principles are:

Proportionality – an employer should be clear as to why the monitoring and recording is required and should determine whether the reason for it is legitimate. Against this reasoning, the employer should consider whether the action is as un-intrusive as possible. Employers should conduct an assessment of the impact of its monitoring in order to ensure the balance is appropriate. The Provision of Information to Employees – in order to comply with the first data protection principle, full information about the monitoring or testing should be supplied to the employee. The Code is clear that this should take the form of a written policy document, which should be brought to the attention of the employee. Technical / Security Measures – employers are required to safeguard against the unauthorised processing of data.

As often in data protection matters, this can be summarised as: do what you do only for good reason, do no more than is necessary for that reason, and keep data secure!

The privacy of private communications should be respected.Where a telephone call is monitored and/or recorded according to a purpose specified in the Regulation, there is no need to tell external callers that calls will monitored / recorded. Where such calls are recorded the author suggests it is good practice to bring this to the caller’s attention, in order that the data is processed in a manner that is “fair”.Employees should be informed about the way in which data relating to them, including the monitoring and recording of telephone calls, is dealt with, and the aims of processing such data should be legitimate.Written policies on what an employee is and is not allowed to do with provided communications systems are always best practice.

Renzo Marchini
Solicitor
Dechert LLP
+44 (0)20 7184 7563
Renzo.marchini@dechert.com

View the original article here

Read More

Flash mobs – the next online threat

Dec 08

compliance and privacy

Current News Updates Sorry, I could not read the content fromt this page.

View the original article here

<!–0dc9b70ebfca438e8388a92eea175fe8–>

Read More

Transatlantic Events – Data Privacy Conference

Dec 08

EXCLUSIVE READERS OFFER:

Now ONLY £200 per day!

Dear Readers of Compliance and Privacy,
It’s our pleasure to announce and invite you as a VIP Delegate to:
The 5th Annual Privacy & Data Protection UK 2008
3rd & 4th of September 2008
at The Law Society, 113 Chancery Lane, London, United Kingdom The event is broken up into two separate days & two separate events:

“Data Protection: Global Compliance Management” 3rd of September 2008

“Data Protection: CRM, Privacy 2.0 & Social Networking ” 4th of September 2008

This is a major Privacy & Data Protection event with more than 20 internationally renowned speakers. If there is one Privacy & Data Protection event to attend this year, this is it!

The full conference agenda for The 5th Annual Privacy & Data Protection UK 2008 is available at:
TRANSATLANTIC-EVENTS.COM Please note: All VIP Delegates who attend are entitled to a special VIP discount: VIP Delegates are able to attend this event for only £250.00 (either day) or £450.00 for both days. This invite is open to you and/or any colleague(s) you would like to recommend to this event. The VIP Delegate Registration portal is:
http://www.transatlantic-events.com/PDP2008UKCPVIP.html

VIP Delegate places are limited, and sold on a “first come, first served” basis. So be sure to reserve your place(s) ASAP before they are all allocated.

WHO SHOULD ATTEND?
You will have the opportunity to meet players in the industry and discuss the latest issues with:
Chief Executives, Chief Operating Officers, Managing Directors, Heads of Human Resources, Information Security and Risk Management Specialists/Consultants, Strategy Directors, Commercial Directors, Communications Directors, Sales and Marketing Directors, Heads of e- Commerce, Information Assurance Specialists/Consultants, Heads of Business Development, Heads of Compliance, Regulatory and Legal Affairs, Consultants and Advisors, Heads of IT & Database Management, Privacy Officers and … anyone concerned with Privacy & Data Protection.

The 2008 Expert Speaker Faculty
Chairman (Day One):
Alastair Gorrie, Partner, Orrick, Herrington & Sutcliffe, UK
Co-Chairman (Day One):
James Leaton Gray, Head of Information Policy & Compliance, BBC UK
Chairman (Day Two) :
Francis Aldhouse, Consultant, Bird & Bird, UK
Co-Chairman (Day Two):
Nigel Roberts, Director and CTO, Island Networks, UK Internationally Renowned Speaker Faculty:
Bridget Treacy, Partner, Hunton & Williams LLP, UK
Monika Kuschewsky, Senior Associate, Van Bael & Bellis, Brussels
Rosemary Jay, Partner, Pinsent Masons LLP, UK
Mark E. Schreiber, Partner, Edwards Angell Palmer & Dodge LLP, USA
Robert Bond, Partner, Speechly Bircham LLP, UK
Renzo Marchini, Dechert LLP, UK
Vinod Bange, Associate, Eversheds LLP, UK
Anne Coles, Senior Partner, AMC Law, UK
Philip Nolan, Partner, Mason Hayes + Curran, Ireland
Lynda K. Marshall, Partner, Hogan & Hartson LLP, USA
Karen A. Morris, Chief Innovation Officer, AIG, USA
Tim Beadle, Director, Marketing Improvement, UK
Peter G. Wray, Chairman & Founder loyaltymatters.com and cm4p.com
Gareth Wong, Founder of CXO Europe, GamBond, and Gambit, UK
Dr. Mark Watts, Partner, Bristows, UK
Nicola McKilligan, The European Privacy Partnership, UK
Andy Thomas, Director, Garlik, UK
Edna Kusitor, Global Data Privacy Compliance Coordinator, Accenture, UK
Graham Sadd, Chairman & CEO, PAOGA Limited, UK
Winston Maxwell, Partner, Hogan & Hartson MNP, France
Tim Trent, Consultant, Marketing Improvement, Managing Editor ComplianceAndPrivacy.Com

UK Delegate places are limited, so reserve your delegate place TODAY!!! For more information, visit:
Transatlantic Events, Event Organisers:
Transatlantic Events
Production Office
Epsom, Surrey, United Kingdom
email: info@transatlantic-events.com
phone: +44 (0) 208 658 6568 

Compliance and Privacy has direct access to the entire iDefense series of online events for our members. The archive requires you to be a member, so it checks to see if you are before it lets you stream the events to your desktop.

Take me to the iDefense Online Event Archive.

Proactive intelligence is critical to effective risk management. Check out our free Web seminar series on global Internet security trends and emerging cyberthreats presented by VeriSign iDefense Security Intelligence experts. Register for this free series by choosing your preferred event from the schedule and note the that times are US Eastern Time.

Webcast Schedule:

7 November 2007, 2PM ET: IPv6 – Risks & Ramifications of a Potential Disruptor
While the various modifications and improvements to IPv4 have served the Internet well, these stop gaps can only go so far. Fortunately, IPv6 is finally maturing and provides some much needed functionality that will undoubtedly facilitate growth and innovation. Now that more products include IPv6 functionality, the technology is slowly becoming a reality. While this is a slow process, it will be moved along with the US Government’s mandate that organizations implement IPv6 by 2008; the mandate even includes organizations that do not have external factors forcing an upgrade.

While delaying deployment may lead to missed opportunities, completely disregarding the technology can have serious security ramifications. Most networks are partially IPv6-capable whether or not network managers are aware of it, and IPv4 networks left unprepared are vulnerable to attackers. So, for those considering upgrading to IPv6, there are a number of issues to consider before taking the plunge. Organizations must remember that platform upgrades of this scale will cause disruptions. In addition, an upgrade could cause confusion, resulting in security holes that attackers will certainly try to exploit. These are just some of the issues network managers and implementation specialists must consider, which makes it imperative they have a solid understanding of this new protocol. From a strategic standpoint, IPv6 facilitates a paradigm shift toward increasingly distributed, end-to-end communications, changing the threat landscape and requiring similarly distributed security. This report provides an overview of IPv6 and discusses the risks associated with its implementation.

Regular Monthly Webcast Series: Emerging Threats

Privacy Laws and Business Events may be found here

View the original article here

Read More

Data Vendor Sends SPAM about The Dangers of Prospecting Databases

Dec 08

Today (4 September, 2008) ComplianceAndPrivacy.Com received an email that appears to be from Harris Infosource, a D&B Company. Not a lot wrong with that, you may say. The email is a cold unsolicited email, or SPAM, What makes this amusing is that the SPAM has this subject line:

Why Using Cheap Prospect Lists Can Cost You Big!

Harris Inforsource, it seems, are the purveyors of fine prospect lists.

Harris addressed their SPAM to Milton Bennett at our domain. If Milton existed, if Milton had ever existed, if we had ever created, used, publicised an address for Milton, who is not now and never has been a member of our staff, then this would have been something we could pass off as “just one of those things”. But we have never heard of Milton Bennett. He is a figment of Harris Infosource’s database. We wonder if they are selling him as a part of their very fine data.

But this is SPAM with a cloned email address.

Look, here’s a screenshot of the email:

Harris Infosource - the offending SPAM email

The purists will note that this is a composite of two screenshots. It couldn’t be captured as just the one. And there is the email address, plain as a pikestaff.

Seems like the “rigorous, patented DUNSRight™” process fouled up rather well there, then!

Oh the irony! We do hope they use their own systems!

We’re cynical here at C&P, so we did some small digging. After all, Harris Infosource might have been the target of some wicked person who was trying to discredit them. But it appears not. The “from” address is harrisinfo-mail.com, not harrisinfo.com, so we did a Whois check. Harrisifno-mail is owned by Smartsource, who are an eMarketing company. That is not a surprise. Any sensible corporation outsources its email to avoid its own domain becoming known as a source for SPAM.

We checked. Our Peter Andrews forwarded the email to Harris Infosource as an attachment, to ensure that they coudl inspect all the email headers. He sent it to abuse@harrisinfo.com and also to customerservice@harrisinfo.com asking:

Is the enclosed email from your company?

We like to check before we run a story, after all.

He received the following answer from a sales guy. Hmm, not exactly ‘customer service’, then:

Good Afternoon Peter,

Yes the email is from our company.

Thanks,

(we have edited out personal information)
Harris InfoSource (A D&B Company)
(role edited out)

Tel. 800-888-5900 (Extension edited out)
Fax (Fax edited out in case it identifies the writer)
email edited out | www.harrisinfo.com

So, it comes from Harris, it is genuine, not a cloned email in order to wreck their reputation.

Peter confesses to having been a little naughty. He has sent them the following reply:

You are 100% sure about that?

If so, how did you get the data?  Milton’s email address doesn’t appear anywhere.  I’m his manager and he’s an intern here.

Remember that Milton does not exist, never has existed. But Peter is interested in the source of the data. Harris Infosource are, after all, a D&B company, and appear to understand the damage that bad prospect data can do to an organisation. Harris Infosource’s website says that they are purveyors of data.

The reply wil be interesting. We’ll bring it to you when it happens.

There has been nothing from the “abuse” address. One might think such an address woudl be monitored, but it appears not to be.

We’re fair minded. Harris Infosource is welcome to make a full reply to this article. We’ll publish it verbatim, thiough we reserve the right to take trade puffery out. They can email the fictitious Milton with it if they like. We get to see all badly addressed mail. “Milton” will now be maintained as a SPAM Trap, now, though. All mail to Milton gets forwarded to the SPAM vigilante groups.

View the original article here

Read More