3 BANKS SEEK TO BALANCE SECURITY AND CONVENIENCE presented by 4 ID THEFT BECOMING RARER BUT MORE COSTLY 6 BIOMETRICS MAKE INROADS Insights:Security IN PC AND LAPTOP SECURITY IN THIS ISSUE
MARCH 2006 PUBLISHED BY DOW JONES
Small Data Breaches Have Greater Impact
BY TERRI CULLEN wo scenarios: a) You’re notified Data Theft, Competition Tby an online retailer that you’re among millions of customers whose account information was lost or Big Issues In Security stolen; or b) you learn a former staffer has stolen employee names, addresses and Social Security num- bers from your small business. Which As the government ratchets up pressure on the market, one puts you at greater risk for iden- tity theft? security firms are struggling to fight the identity theft ‘panic.’ If you chose “b,” you’d be cor- Meanwhile, Microsoft is shaking up the industry as it prepares rect, according to a recently released study by ID Analytics, a San Diego for a major security software offensive. BY MARK BOSLET company that helps companies com- bat fraud using pattern-recognition ATA SECURITY CONTINUES TO BE A MAJOR a separate anti-spyware product for the business technology. The company examined source of concern at U.S. businesses. Yet, market. billions of bits of identifiable infor- security products haven’t been able to According to industry sources, Microsoft’s mation, such as Social Security num- Doffer dramatic new steps to protect data. new Vista version of Windows, due out in late bers, cellphone numbers, dates of The situation has companies deploying September, will have a built-in “shopping cart” birth and credit-card account num- incremental - albeit more sophisticated - meas- that could help spread the OneCare Live serv- bers, from consumers who were vic- ures to guard sensitive information as they ice. The shopping cart will target consumers and tims of security breaches. The study debate what security innovations - and leg- allow for one-click purchases of anti-spyware analyzed four cases of security islative requirements - will follow. and anti-virus, said one industry source. breaches, two involving the theft or The debate continued recently at the RSA For a new generation of security profes- loss of sensitive data, including Conference 2006, one of the security industry’s sional, however, identity theft is the most chal- names and Social Security numbers, largest shows, where 275 companies exhibited lenging new threat. In the past year alone, 52.6 and two involving credit-card and approximately 14,000 people attended. million Americans had personal information account information only. Microsoft Corp. Chairman Bill Gates and Cisco compromised, according to the Privacy Rights Turns out size does matter: The Systems Inc. Chief Executive John Chambers Clearinghouse, a non-profit consumer infor- study found that individuals involved were among the speakers at the San Jose event. mation organization. Few companies are in mass data security breaches are This year’s conference also saw a security immune. less likely to have their information landscape more complicated by the expanding “With one out of five Americans being hit, misused than victims of smaller data role Microsoft will play as it unveils key initia- there is a panic in the industry,”said Eric Drew, breaches. tives this year. The software giant said recently founder of Knightsbridge Castle Inc., a software The sheer volume of consumers that its Internet Security and Acceleration developer focusing on the identity-loss market. affected slows identity thieves Server 2006, an important firewall product for The problem is indeed severe enough that down, said Mike Cook, vice presi- the business market, went into public beta test- the government is stepping in. Twenty-three dent of product services at ID Ana- ing prior to commercial release. The company states already have laws requiring public noti- lytics and one of the company’s also talked up technology it bought from pri- fication when personal data is stolen, and three co-founders. “We applied identity vately held FutureSoft Inc. to filter malicious or four bills are now pending in both the Sen- theft to real work terms, eight-hour messages from Web traffic and unveiled pricing ate and House. days, with breaks and vacation time, for its widely anticipated consumer anti-virus A national bill could emerge this year, said and found that it would take a fraud- service, OneCare Live. Paul Kurtz, executive director of the Cyber ster 40 years to work a million stolen A one-year subscription to OneCare Live Security Industry Alliance, an industry associ- IDs,” he said. will be available in June for a $49.95, and the ation. The impact could be significant.“It really Some disclosure: ID Analytics, product will include the Defender anti-spy- is a crossroads,” said Kurtz. “Businesses can CONTINUED ON PAGE 10 ware and a data-backup program. Microsoft has CONTINUED ON PAGE 12
INSIGHTS: SECURITY MARCH 2006 1 UNISYS EXPERT ADVERTISEMENT
tion and proposes a simple model that industry Interoperability simply means that if you want can readily adapt to its unique requirements. to use your identification document in another Industry can also look to the financial sector for state or country, the other state or country guidance in this area as financial institutions must be able to read it. HSPD-12, mentioned have considerable experience to share with earlier, mandated the establishment of a fed- regards to secure credit card production and eral standard (i.e., Federal Information issuance. However, the most important aspects Processing Standards Publication 201, a.k.a. that must be addressed are the non-technology FIPS 201) for vetting federal employees and issues such as policies, procedures and prac- contractor identities; providing secure and reli- tices. Private sector companies must imple- able forms of identification for federal employ- ment their systems based on the desired level ees and contractors; and lastly, the use of a John Souder of security, and describe where, how and when common credential for gaining access to feder- Vice President of personal data is stored and used. Transparency ally controlled facilities and logical access to Identification Solutions will help reduce anxiety and fear. federally controlled information systems. FIPS How might security and privacy be 201 will become the de facto standard and will improved through the use of advanced card How would a database be safeguarded from ultimately be adopted by international govern- technologies like smart cards? tampering and theft? ments for identification and credentialing initia- A decade ago, I worked more closely with law Technology is available that allows companies tives as it addresses identity management life- enforcement agencies, where I was involved in to encrypt database information so anyone with cycle processes from vetting and enrollment to the training of latent print examiners. Through access to the data on a normal day-to-day verification of identity using biometrics, public that experience, I learned a lot about the types basis would only see the items they are author- key infrastructure and smart card technologies. of cases that came through the crime laborato- ized to view; the rest would remain hidden. The ries. What was interesting was to see how per- data is also protected from accidental release Are there any examples of multi-purpose petrators came across their victims. One of the and theft, thus providing additional protection. identification credentials in use today? scenarios related to driver licenses - where Another interesting feature that this technology There is one high profile project, the "MyKAD" someone might see your address on the front can now provide is the ability to de-identify cer- project in Malaysia—the first multi- purpose of your driver’s license at the grocery store and tain data for research or analysis purposes. smart card project for a government identity then commit a crime against you or your prop- Doctors and medical researchers still need program. When Malaysia defined the project a erty. There was vulnerability in those days but continued access to medical information for number of years ago, was thinking ahead to from a different aspect. Today, identity theft and research purposes. Unfortunately this data also prepare for a high-tech country and industry. It fraud are growing rapidly. As a result, we need contains social security and other personal wanted a credential to use once the infrastruc- to look at this from a holistic viewpoint. Smart information that might be misused or misappro- ture was in place so that one card could func- cards can offer more protection by encrypting priated. However, by only allowing access to tion as a national identification card, a driver’s the personal data on a driver’s license and certain data elements, the information that can license, an immigration card and a healthcare encoding it into a chip inside the card. This link an individual to the specific data remains card, along with providing an electronic cash increases privacy for people and gives them separate (de-identified) and encrypted. Of capability. In addition, MyKad provides storage more security when they are using their identi- course, it’s more expensive to do this as men- of digital certificates to encrypt and digitally fication or credit cards. Often, when you go to a tioned earlier. But it is likely less costly than the sign electronic transactions. Hong Kong retail store, you are asked for your driver’s potential damage to companies who allow data recently created a similar smart card program license along with your credit card, exposing to be compromised and exposed. If it wasn’t for and in the 1990s, Spain started a similar multi- your personal information to the potential for California’s Security Breach Information Act media oriented program with its TASS card for fraud. With a smart card, a blind verification (SB 1386), many individuals would never know healthcare and unemployment benefits. can occur, without the need to reveal your per- that their personal data had been compro- sonal information to the retail clerk or bank mised. It is interesting to note how companies Would individuals choose to use such a teller. We’ve seen many cases involving collu- outside California deal with the same problem. secure credential voluntarily? sion when the breach occurs at that point. So In these instances, no one knows if there has According to a 2002 survey conducted by from a technology perspective, smart card been an incident unless it is leaked to the Gartner and Harris Interactive, two-thirds of technology can improve privacy and protect press or an individual suddenly discovers their those polled supported national IDs, provided and secure information. identity has been compromised. A paradigm their uses were restricted. But just 16% of the shift is occurring in the industry; seven to 10 survey trusted the state Departments of Motor What processes and facilities would be years ago, IT departments looked at security Vehicles to implement this. For myself individu- approved for the in-person proofing as a cost and did the minimal amount required. ally, I have no problem with an advanced iden- required for enrollment? Today because of compliance regulations such tification card, particularly one that uses multi- This question relates more to commercial enti- as Sarbanes-Oxley, companies now view IT factor authentication for any transaction involv- ties that want to get into the identity vetting security as a competitive advantage. ing my personal information or finances. Yes, business from a managed services perspec- there is the downside that abuse can occur, but tive. President Bush’s Homeland Security What standards exist to facilitate the inter- maybe I’m looking at this short-term. I would Presidential Directive No. 12 (HSPD-12) helps operability of a universal identification cre- rather have my money in the bank than have set a good example for vetting identity informa- dential? someone else have my money.
INSIGHTS: SECURITY MARCH 2006 2 “The banks are being pushed to bring in stronger authentication, but match it to the risk of the transaction and to the user experience and their desires.”
SECURITY Six Banks Team Up To Protect Data Banks Seeking Software To BY ROBERT A. GUTH Balance Security, Convenience ix of America’s largest financial insti- Stutions are taking a strength-in-num- BY RIVA RICHMOND president at Entrust, of Addison, Texas. bers approach to guarding customers RIVEN BY RISING ONLINE IDENTITY THEFT AND Authentication is a security measure for veri- against security breaches. regulators’ concerns, more banks are shop- fying a customer or transaction. Bank of America Corp., Bank of New ping for security technology to help ensure Industry analysts think banks will employ York Co., Citigroup Inc., JPMorgan Chase Dthose logging into accounts are the cus- several techniques to weigh risk and verify & Co., U.S. Bancorp and Wells Fargo & tomers they claim to be. But while banks want identities. One way is to halt any transactions Co. announced a collective effort to security that is stronger than standard user from certain computers or countries with a pressure computer-service providers to names and passwords, they also don’t want the high fraud risk. In addition to a user name and be more systematic about disclosing technology to turn off customers by diminish- password, some of these new security systems what they are doing to protect sensitive ing the convenience of online banking. add a fairly obscure personal question, such as data. Software makers are aiming to help banks “What was your high-school mascot?” Some The six banks, backed by a financial- strike a tricky balance between security and also allow banks facing a suspicious transaction services industry group and the Big convenience, with several, including Corillian to send an extra four-digit security code for use Four accounting firms, are adopting Corp. and Entrust Inc., recently introducing online to a customer’s cellphone. common guidelines that their suppliers systems that raise the bar for risky or suspect The idea is similar to credit-card-fraud sys- - including telecommunications com- transactions. The software works behind the tems that trigger phone calls to cardholders panies and data-service hosting com- scenes to apply extra security measures when when they detect unusual activity, while letting panies such as International Business there is unusual or questionable activity - say, the vast majority of transactions through with- Machines Corp. - will have to follow. account access from a cybercafe in Prague or out incident. Corillian, of Hillsboro, Ore., already The program is designed to both a large money transfer that isn’t a normal bill- provides the technology behind the online bank- raise the level of security of financial payment routine. ing operations of many banks and credit unions. services, such as online banking and The emergence of these products reflects the Woodforest National Bank, which has 190 securities trading, and try to lower industry’s concerns that email identity-theft branches in Texas and North Carolina, is rolling costs for banks, insurance companies scams, called “phishing,” and hacker programs out Corillian’s security technology during the and computer-services providers. It for- that steal consumers’ account information could first half of 2006. Corillian also has sold the tech- malizes procedures that have largely hurt online banking, which is valued by banks as nology to three credit unions and said it is in been ad-hoc and costly and haven’t a low-cost way of doing business. talks with three of the top-10 U.S. banks. guaranteed a level of security that In the U.S., the Federal Financial Institutions “The key to keeping this channel open is meets regulatory standards, the banks Examination Council, a group that sets standards keeping it secure,”said Charles Manning, pres- said. for banks, credit unions and thrifts, in October ident and chief information officer of Wood- “We’re trying to create a standard- urged that online-banking security move beyond forest, which operates most of its branches ized approach and a much more rigor- simple passwords by the end of 2006. Its rec- inside Wal-Mart stores. ous approach,” said Catherine Allen, ommendation carries the force of regulation Corillian’s Intelligent Authentication pack- chairman of BITS, the technology arm of because banks’ failure to comply would earn age, launched in October, tracks the behavior the Financial Services Roundtable, a them black marks from bank examiners. of online-banking customers and builds his- Washington financial-industry group Many of the new products would help tories of their habits to create “access signa- behind the program. A goal of the pro- banks respond to the FFIEC, which didn’t tures.” Its files don’t include personal gram is to “raise the bar on security,” endorse specific security technologies but information, but they do track the character- she said. encouraged banks to choose measures appro- istics of the computers and Internet-service The move is a response to scrutiny priate to the risk. Other suppliers of software providers that a customer typically uses. It over how the financial industry han- for tightening security include closely held also records the normal geographic locations dles and protects sensitive data, such as firms Cyota Inc., of New York, and PassMark and the times of day a customer prefers to bank credit card numbers and bank account Security Inc., of Menlo Park, Calif. online, flagging exceptions for scrutiny. information. Meanwhile, large buyers of “The banks are being pushed to bring in Meanwhile, security software maker computer software, hardware and serv- stronger authentication, but match it to the risk Entrust unveiled a major new version of its ices are demanding more from suppli- of the transaction and to the user experience IdentityGuard product in November that offers CONTINUED ON PAGE 11 and their desires,” said Chris Voice, a vice CONTINUED ON PAGE 11
INSIGHTS: SECURITY MARCH 2006 3 “It’s getting more challenging to commit these crimes. Criminals...have to soak victims for more money.”
SECURITY US Treasury Launches Incidences Of Identity Theft Awareness Campaign Against ID Theft Decline While Costs Rise BY CAMPION WALSH he U.S. Treasury Department BY CHRISTOPHER CONKEY PREYING ON THE WEAK Trecently released a DVD program to HE NUMBER OF PEOPLE VICTIMIZED BY The study also found that people between tell consumers about how to protect identity theft each year is falling, but the the ages of 25 and 34 are more likely to be vic- themselves from identity theft. losses are going up, a survey suggests. timized than senior citizens, and low-income “Technology being what it is, T Roughly 8.9 million people, or 4% of consumers suffer the highest losses per fraud these attacks are changing daily,” U.S. adults, last year learned their personal case. Complaint data from the FTC also support Emil Henry, assistant Treasury sec- data had been stolen and used to commit fraud, the view that identity thieves are preying on the retary for financial institutions, said according to a report from Javelin Strategy & young, with identity theft complaints involving at a press briefing. “Awareness is key Research and the Better Business Bureau. That youngsters under 18 nearly doubling since to have everyone focused on staying was down from 9.3 million identity-theft cases 2003, up from 6,512 to more than 11,600 last ahead of the curve.” in 2004, researchers found based on 5,000 tele- year. Henry noted various ways phone interviews and standard polling tech- While they make up a small percentage - thieves can get personal informa- niques. According to the Federal Trade about 5% - of the total ID theft complaints, the tion, from sophisticated computer Commission, there were 10 million victims in FTC’s Jay Miller said young people are attrac- attacks to rummaging through 2003, so there appears to be a steady downward tive to cons because they may not be as savvy garbage. He cited estimates that trend in recent years. about safeguarding personal information and identity theft affects nearly 10 mil- Commenting on its recently released annual could easily fall prey while surfing the Internet. lion people annually and costs the report on consumer fraud complaints, the FTC “Identity thieves don’t see age as a hurdle,” U.S. economy about $50 billion. said that more 37% of the 686,683 consumer said Miller, who works with law enforcement to Federal Trade Commission Chair- complaints it received in 2005 involved identity combat identity theft.“All they want is as much man Deborah Platt Majoras, on hand theft, led by complaints about the fraudulent information about a person as they can get for the briefing, noted identity theft use of personal credit-cards. Besides credit- regardless of age. And believe me, they will accounts for 37% of total fraud com- card fraud, the FTC also received complaints find a way to use it.” plaints filed with the FTC. about identity thefts in which phone or other And they have, said Sue Houk of the San Asked about legislative propos- utility service was opened using an identity Diego-based Identity Theft Resource Center. A als to combat identity theft, Treasury borrowed from another person. friend of Houk was stunned to learn that some- officials said they are closely moni- FTC Chairman Deborah Platt Majoras one had fraudulently opened a bank account in toring Congressional measures but urged consumers to tell the commission of any her 12-year-old daughter’s name. The con artist don’t have a formal opinion so far. fraud, saying, “These reports provide ammu- then opened about a half dozen credit card “We just want to make sure that nition that helps law enforcers fight fraud and accounts, declared bankruptcy, had it written off the costs associated with any new identity theft.” and left the youngster with a mess of legal hassles. regulation are indeed worth the ben- While the new findings indicate that height- “It’s an easy thing to do,”said Houk, acting efits,” Henry said. ened awareness and better fraud-fighting meas- chief executive of the center, which is a private Treasury said President George ures have made it harder for identity thieves to organization that distributes information about W. Bush has already signed two laws find new victims, the unlucky found them- identity theft. “Once they get a valid Social that can help fight identity theft. selves hit harder financially. Security number, they just go to town.” The Fair and Accurate Credit Trans- According to Javelin, the average fraud The most victimized age group for identity actions Act of 2003 includes several amount per victim rose to $6,383 last year theft was the 18-to-29 category. The FTC said measures including easier consumer from $5,885 in 2004, for a total annual cost of that category registered 29% of the complaints, access to credit histories to spot nearly $56.6 billion. or more than 70,200. unauthorized activity. The Identity “It’s getting more challenging to commit The most common form of identity theft Theft Penalty Enhancement Act of these crimes,”said James Van Dyke, founder and reported was credit card fraud, which accounted 2004 set tougher penalties for iden- principal analyst of Javelin of Pleasanton, Calif. for 26% of the complaints, the study said. It was tity thieves. “Criminals are building up more expertise, followed by phone or utilities fraud at 18%, bank The DVD program, “Identity and they have to soak victims for more money.” fraud at 17% and employment fraud at 12%. Theft: Outsmarting the Crooks,” is available at: www.pueblo.gsa.gov CONTINUED ON PAGE 11
INSIGHTS: SECURITY MARCH 2006 4
“People can’t remember log-in names. People can’t remember passwords. There are just too many of them.”
SECURITY VeriSign Launching Token-Based Biometrics Making Inroads Security Network In PC Security As Costs Fall BY RIVA RICHMOND eriSign Inc. plans to create a com- BY MICHAEL TOTTY become cheaper and more reliable and have Vmon system that will allow mul- S IT TIME TO DITCH ALL THOSE HARD-TO- begun showing up on desktop and notebook tiple companies to provide secure remember passwords for something that is computers. So far, the technology is found access to online accounts with impossible to forget and hard to lose? mostly among leading adopters, like health pocket-sized security devices, rather I Passwords are the first line of defense care and financial services companies. But secu- than relying on passwords alone. in keeping intruders out of corporate com- rity experts say that if they are used properly, The Mountain View, Calif., com- puter systems, and companies are getting more fingerprint logons can be easier to use and pany said it has lined up eBay Inc. stringent about keeping them safe. They are more secure than passwords. Using fingerprints and Yahoo Inc. as initial partners in insisting that employees use “strong” passwords to verify a computer user’s identity “is a tech- the recently announced VeriSign - at least six characters, using a mix of numbers nology that is ready for prime time,” Carleton Identity Protection, or VIP, network. and letters - and change them more frequently. said. Under the plan, VeriSign and cer- But the sheer number of codes is a real headache Lenovo Group Ltd., which last year bought tain partners, including eBay’s Pay- for users and a productivity drain for compa- the PC operations of International Business Pal unit, will sell or give away the nies, as computer-support staff face loads of Machines Corp., said it has sold more than devices to consumers. Other part- calls about forgotten passwords. one million laptop computers with built-in ners, such as Yahoo, won’t issue “People can’t remember log-in names. Peo- fingerprint readers since it began offering the hardware themselves but will allow ple can’t remember passwords,”said Jarad Car- product in October 2004. Ten-year-old Digital customers to use a single device leton, an analyst with Frost & Sullivan, a Persona Inc., of Redwood City, Calif., boasts 25 when logging onto multiple online technology consulting firm in Palo Alto, Calif. million users of its fingerprint systems, which accounts, VeriSign said. “There are just too many of them.” use a plug-in reader about the size of a small The company hopes to attract Companies have tried alternatives, such as computer mouse. numerous banks, brokerage firms smart cards or security tokens that generate a Not everyone is convinced. Peter Schwartz, and e-commerce sites to the net- constantly changing string of numbers that chairman of Global Business Network Inc., an work in one of these roles, creating can be used to replace set passwords. These Emeryville, Calif., consulting firm, said he dis- a shared system akin to ATM net- work well enough, though they can be lost or abled the fingerprint reader on his new Lenovo works to offer fraud-wary con- left behind when traveling. So some companies laptop after he couldn’t sign in when trying to sumers greater security, while are turning to a solution that is always at hand: make a presentation before 300 people.“It’s not keeping a lid on costs for partici- fingerprints. ready for prime time,” Schwartz said. (Lenovo pating companies. The initiative A person’s “biometrics” - unique physical says that you can expect to get falsely rejected could be a boon for VeriSign by characteristics such as fingerprints that can be only three times in 10,000, assuming that in opening up a much bigger market used for identification - have been used in some cases it might take three tries to log in suc- for its user-authentication business. high-security situations for a long time. San cessfully.) EBay plans to issue VeriSign Francisco International Airport installed hand- What is more, these systems don’t eliminate gadgets known as “tokens” that geometry readers to control access for employ- passwords entirely; they just fix it so you don’t display a passcode that changes ees in the early 1990s. A hospital in Bavaria in have to type them every time you log on. regularly and can be attached to a Germany uses iris-scanning technology to limit Users first create passwords for their com- key chain. Other partners may issue admission to its neonatal station. puters and store them in one central manage- tokens or other devices, such as But biometrics has been slow to make head- ment program. memory sticks that plug into com- way into day-to-day business uses. Part of the Then they set up the fingerprint system puter USB ports and can input pass- problem is that biometrics readers have been by sliding their fingers over an optical scanner codes. They also may choose to send expensive - fine for locking a few doors but too - either built-in or attached - which converts the one-time passcodes to customers on costly to place on every computer in an organ- image into a unique mathematical formula devices they already carry, such as ization. Smaller and less-expensive sensors were that represents the fingerprint. cellphones. available, but users complained they were unre- After that, every time users scan their fin- For consumers, the system could liable. gerprints, the computer unlocks the password help make “security a part of your In the past couple of years, though, finger- manager, and the required password is entered CONTINUED ON PAGE 9 print scanners and the necessary software have CONTINUED ON PAGE 9
INSIGHTS: SECURITY MARCH 2006 6 “In the old days, spammers were mostly North America-based and they were using infrastructure in the U.S. Spam is now a global phenomenon.”
SECURITY Tech Firms Join Fight Against ‘Badware’ Foreign-Language Spam BY KEVIN J. DELANEY new effort to stop the spread of Challenges Junk Email Filters Amalicious software is attracting support from Google Inc., Sun BY VAUHINI VARA English speakers boils down to economics: Microsystems Inc. and Lenovo IKE MOST COMPUTER USERS,TODD EPP Because it costs little to launch a huge, indis- Group Ltd. regularly receives junk email advertising criminate attack, spammers are blasting email The Berkman Center for Inter- Viagra pills, mortgage loans and love con- users all over the world with messages written net & Society at Harvard Law School Lnections. But lately the 46-year-old has in languages other than English, reasoning that and the Oxford Internet Institute found himself spending more time sifting they could attract a few additional customers at are coordinating the effort, called through emails he can’t even read - because the a tiny cost, said Richi Jennings, an email secu- the Stop Badware Coalition. They messages appear to be in Chinese. rity analyst at Ferris Research in San Francisco. are advised by the Consumer “It’s pretty odd that some guy in the mid- Spammers also scour lists of email addresses Reports WebWatch project at the dle of South Dakota is getting Chinese spam,” for names that sound native to certain countries, nonprofit Consumers Union, and said Epp, an attorney in Harrisburg, S.D. analysts said. Kasia Trapszo, a programmer in will receive funding from the three U.S. computer users are receiving more New Britain, Conn., said she believes the 20 to technology companies. junk email written in foreign languages, and 30 Russian spam messages she receives each The effort is aimed at fighting companies that make antispam software are week are due to her Polish last name, which software that subverts a com- scrambling for ways to block the offending “sounds Russian.” puter’s operation for the benefit of messages, which slip through many of the lan- For antispam companies, the influx of for- a third party, forms of which are guage filters being used today.“In the old days, eign messages has been a headache. Among known variously as spyware, mali- spammers were mostly North America-based the techniques commonly used to block spam, cious adware and malware. Con- and they were using infrastructure in the U.S.,” one method involves creating a database of sumers often unwittingly download said Ken Schneider, chief architect for network suspicious phrases like “cheap deals” and “refi- it to their computers when access- and gateway security at Symantec Corp.“Spam nance your home,”which the filters then use to ing software or content on the Web. is now a global phenomenon.” block unwanted messages. But when those The Stop Badware Coalition has Language aside, the Chinese, Japanese and phrases show up in, say, Hebrew or Korean created a Web site where consumers Russian messages look similar to their English characters, it can be difficult for the filters to can check to see if programs they counterparts, with loud fonts and plenty of catch them. want to download are infected and links to Web sites hawking loans, luxury wrist- Some companies are enlisting language submit reports on malicious soft- watches and so on. And, like U.S. offerings, experts for help. In the past year, Barracuda Net- ware to a Web-based database. many try to slide past filters by padding suspi- works Inc., an email-filtering firm in Mountain Researchers will publish frequent cious phrases with gibberish. Symantec, for View, Calif., has hired 15 engineers outside the reports about the software and the instance, recently came across a Portuguese U.S., including in China and Japan. Barracuda’s companies responsible for it. message from Brazil with the subject line: “He chief executive, Dean Drako, explains that when “It’s to make sure these com- lends financial aid - I made and this giving a mass email from retailer Target Corp., for panies will no longer be able to certain.” instance, hits thousands of inboxes, American hide in the shadows of the Inter- Email-filtering companies say foreign-lan- engineers know that it’s from a legitimate com- net,” said John Palfrey, a Harvard guage spam has risen sharply in the U.S. in the pany. Law School professor and executive past year. Symantec estimates that 10% of the “If I’m not Chinese, I might not know what director of the Berkman Center. 200 million spam messages its software catches the respectable companies are in China,” he The group has also drafted each day are in a foreign language, up from said, “so I can’t make the determination of guidelines about the activities and about 5% just two years ago. Sophos PLC, a pri- whether it is spam.” content that characterize “bad- vately held U.K. rival, said Japanese spam has Barracuda’s engineers in China recently ware.” But previous efforts to define grown tenfold since January 2005. Postini Inc., came across a piece of spam related to the spyware have sometimes come of San Carlos, Calif., said its software blocks Falun Gong spiritual movement. The piece of under fire from software makers, about 20 million messages a day in Chinese. spam was evading Barracuda’s filters, so Chi- who felt their ad-delivery applica- The companies say most of the non-English nese-speaking engineers looked closely at the tions were being unfairly labeled messages they see are sent from outside of the message and realized that its writers had and blocked. U.S. The reason they end up in the inboxes of CONTINUED ON PAGE 9
INSIGHTS: SECURITY MARCH 2006 7 Consumer advocates say New Jersey’s law is among the best in the nation, where some believe up to 10 million people a year are victimized by identity theft.
SECURITY AOL Wins $5 Million Judgment Against Leading Nation, NJ Passes ‘Poster Boy’ Spammer Greater Guards Against ID Theft man who sent billions of junk Aemails hawking online college NEW JERSEY LAW THAT TOOK EFFECT IN LATE or federal law. degrees, sexually explicit Web sites, December aims to crack down on identity The law also requires that a resident’s local cable TV descramblers, penis- theft crimes by allowing residents to freeze police department take a report when a resident enhancement pills and “generic Via- Aaccess to personal credit reports. reports identity theft. gra” must pay more than $5.5 Under the new law, New Jersey residents can “It’s a very significant law when it comes to million in penalties to America control access to their own credit reports. With- reducing the chance that identity theft will Online Inc., a federal judge ruled. out access to “frozen” reports, an identity thief occur,” said Caplovitz, who added that she is Christopher William Smith, of cannot obtain a mortgage or a credit card using concerned that weaker bills being considered in Prior Lake, Minn., was considered someone else’s name, even with the victim’s Washington would supersede New Jersey’s law. one of the world’s worst spam- Social Security number. State Sen. Shirley K. Turner, D-Mercer, a mers, operating under the name Consumers wishing to freeze access to their sponsor of the law, said,“We have finally given Rizler. He is now in a Minnesota jail reports are required to inform the credit report- the consumers in the state of New Jersey the awaiting trial on criminal charges ing agencies by overnight or certified mail since tools that they need to protect themselves from that he violated federal drug laws the letter includes their Social Security number. identity theft. And this will be one of the tough- while operating an online pharmacy. Each agency - Experian Information Solutions est laws in the nation.” U.S. District Judge Claude Hilton Inc., Equifax Inc. and Trans Union LLC - Although it took three years to enact recently ordered Smith to pay $5.3 requires different information in addition to the because of objections from some businesses million in damages and $287,000 Social Security number, so consumers should that said it would create too much of a burden, in legal fees to AOL, which filed a contact them before writing. Turner said merchants benefit when consumers civil suit against Smith under a 2004 Consumer advocates say New Jersey’s law is are confident their personal information is federal law known as Can-Spam. among the best in the nation, where some safeguarded. Smith “was the poster child for believe up to 10 million people a year are vic- Wendy Johnson Lario, a lawyer who is the Can-Spam Act,” said AOL timized by identity theft. advising businesses on compliance with the spokesman Nicholas Graham. “This Although it costs nothing to freeze a credit new law, said there are significant downsides is someone we’ve been pursuing for report, victims say they are disappointed that and exposure for a company that fails to take three years. It’s one of the largest the new law lets each credit rating company preventative steps. Offenders can be sued by an judgments we’ve received.” charge consumers $5 to “thaw” the report. individual or the state for a “knowing or reck- Graham said that AOL, the Abigail Caplovitz, legislative advocate for less violation,”and the plaintiff could collect up Dulles-based subsidiary of Time the New Jersey Public Interest Research Group, to triple the monetary damages awarded, said Warner Inc., has won tens of millions said the law has several other laudable features, Lario, a partner at Pitney Hardin in Morristown. of dollars in judgments against more including a “pro-consumer, pro-disclosure stan- She said that financial services companies than 30 spammers under the federal dard” requiring companies to notify people that do business in New Jersey have already law and a similar Virginia law. when their private information has been taken steps to comply. “This is going to have Hilton issued a summary judg- improperly breached or disclosed. more of an impact on the small and midsize ment in favor of AOL, saying Smith The law also requires companies to destroy companies that before didn’t have an obligation “refused to participate in this case, paper and electronic records of customers when to do this,”Lario said. willfully disregarding...discovery the data is no longer needed, and limits the use Such steps have already been taken at Pru- obligations and failing to comply and display of Social Security numbers. Social dential Financial Services Inc., based in Newark, with multiple court orders.” Security numbers can no longer be used on one of the nation’s largest insurance and invest- Court records show that Smith’s identity badges, membership cards or used to ment companies, said spokeswoman Gabrielle lawyers withdrew from the case allow the holder to gain access to products or Shanin. several months after it was filed. In services. Moreover, the law bars anyone from Since several states had already enacted an initial response to AOL’s lawsuit, posting a person’s Social Security number, or such laws, “We’ve been at this standard for the Smith’s lawyers denied wrongdoing four or more consecutive digits of the number. last several years, when it comes to protecting and questioned the constitutionality In addition, Social Security numbers can- data for our customers, employees or contrac- of the Can-Spam law. not be in any mailing, unless required by state tors,”said Shanin.
INSIGHTS: SECURITY MARCH 2006 8 “We think, overall, second-factor authentication will be a good tool for consumers to protect them from identity theft.”
SECURITY
FOREIGN-LANGUAGE SPAM ficult to break apart and analyze than the of its Hotmail email users to help in its fight CONTINUED FROM PAGE 7 characters found in the Latin alphabet. Proof- against junk mail by regularly examining replaced common Chinese characters in point Inc., Cupertino, Calif., said it believes messages and flagging spam. (Any Hotmail some words with older, less familiar charac- it effectively catches about 90% of unwanted user can click a button and identify a message ters. The message would make sense to a messages written in Japanese, compared with as spam.) Microsoft analyzes those messages human recipient - much like “v!agr@” in an effectiveness rate of 99% for spam written and comes up with a database of features that English - but Barracuda’s machines couldn’t in English and European languages. they have in common - many of which have recognize the similarity. “The word ‘bonjour’ is very clearly that nothing to do with language. “They were able to neutralize it more word, but a Japanese word can look like a big “When the average English-speaking quickly than we would have been able to do jumble of characters,” said Rami Habal, Hotmail user gets an email that comes in in the U.S.,”Drako said. director of antispam products at Proofpoint. Chinese characters, they say, ‘Yes, this is Besides being difficult to analyze for “We require an additional piece of technol- spam,’”said John Scarrow, general manager English-speaking engineers, some foreign- ogy to parse those into individual terms. As of Microsoft’s antispam and antiphishing language messages also present technical the wave of such spam increases, we need to team. challenges: The “multibyte” characters of add this type of capability to our products.” “Once they say it is spam, the software Asian languages, for instance, are more dif- Microsoft Corp. has asked about 100,000 doesn’t care what language it is in.”
BIOMETRICS Health System, a Chesterfield, Mo., health The doctor then verifies her identity using CONTINUED FROM PAGE 6 care organization, began testing fingerprint the fingerprint reader. If the doctor leaves the automatically. Besides making sign-ins more readers in the emergency department of one computer, the machine automatically logs her convenient, fingerprint systems also make it of its St. Louis medical centers in July. It out. possible to create much stronger passwords, now has about 40 devices in the emergency Another common use for fingerprint with 20 or more random characters, that department and 40 in administrative offices. scanners is locking down portable devices, would otherwise be extremely difficult to The fingerprint readers are used in com- such as notebook computers and PDAs. Con- remember. bination with identification badges. When, centra Inc., a manager of occupational health As is often the case with technologies just say, a doctor approaches the station, the services in Addison, Texas, last year began beginning to break out, fingerprint readers computer recognizes her badge and auto- testing about 400 fingerprint-enabled laptops are being rolled out in settings where they matically logs her in, using a system put from Lenovo and found the systems make can have the biggest effect. Sisters of Mercy together by Sentillion Inc., of Andover, Mass. logging in faster and easier.
VERISIGN mation-theft schemes known allow consumers to use devices passwords for online accounts CONTINUED FROM PAGE 6 as “phishing.” tied to the network to log into by the end of this year. To date, Web lifestyle,” said Nico Popp, Experts have long pushed their Web accounts securely, banks, as well as other compa- vice president of VeriSign’s for the tighter security offered but it wouldn’t be distributing nies, have shied away from authentication-services group. by “second-factor” authentica- devices. using tokens because of the VeriSign plans to sell tion, the kind used by ATM sys- The company laid the foun- cost and complexity associated devices usable on the network tems. The phrase refers to dation for the VIP network in with distributing and maintain- directly to consumers via a Web combining something users October when eBay agreed to ing them. portal it expects to launch in have with something they buy one million tokens from To meet the new regulatory the next three months. Also, know, such as requiring a debit VeriSign over three years for requirements, banks have SanDisk Corp. has agreed to card and a PIN number. Many distribution to eBay and PayPal mostly been implementing soft- make its flash-memory drives, corporate employees use users. The deal was inked as ware within their networks for which are sold in retail stores, tokens to gain secure access to part of eBay’s agreement to detecting fraudulent activity work as authentication devices company networks when out- acquire VeriSign’s payment and ratcheting up security only on the network. side the office. gateway business. on suspicious transactions with The effort reflects the rising “We think, overall, second- VeriSign is hopeful that things like additional security concern among consumers and factor authentication will be a many financial services compa- questions. VeriSign announced companies about online fraud good tool for consumers to pro- nies will join the network, in an antifraud service of that kind and identity theft. Passwords tect them from identity theft,” light of an October directive recently, but it also is promoting are often forgotten or stolen, an eBay spokeswoman said. from banking regulators requir- the VIP network as a way to sometimes through online infor- VeriSign said Yahoo would ing tighter security than just further beef up security.
INSIGHTS: SECURITY MARCH 2006 9 “Legislators have been justifiably unsure of what to do because up until now there has been so little information on what works.”
SECURITY
DATA BREACHES gave the thief access to names, “This is a very limited sur- being considered by federal leg- CONTINUED FROM PAGE 1 account numbers and card secu- vey, they are only looking at islators that would require com- which is in the business of rity codes on more than 40 mil- four breaches and I’m con- panies to notify consumers of detecting identity theft for com- lion credit-card accounts. cerned that their findings will be security lapses. Many of the pro- panies such as financial-serv- When breaches such as this generalized,” she said. “A great posals focus on mass security ices firms and retailers, initiated are disclosed, many consumers deal more research needs to be breaches, while the study indi- the study at the request of the have no idea how likely it is done on this area before any cates that victims of smaller companies whose security that their information will be generalizations can be made.” breaches are more vulnerable breaches were examined. The used to commit fraud, said Jay Regardless of the size of the to fraud, said Fred H. Cate, direc- companies didn’t sponsor the Foley, co-executive director of security breach, consumers tor of the Center for Applied study, but ID Analytics provides the Identity Theft Resource Cen- should remain vigilant against Cybersecurity Research at Indi- services to one of the breached ter in San Diego, a nonprofit the threat of identity theft, said ana University in Bloomington. companies and provided serv- organization that assists victims Eric Zahren, a spokesman for “Legislators have been jus- ices to another of the compa- of identity theft. the U.S. Secret Service. “Any and tifiably unsure of what to do nies in the past. “What [ID Analytics] is doing all breaches should be consid- because up until now there has The ID Analytics study also is identifying quite accurately ered serious and potentially been so little information on found that mass data security where the greatest potential damaging,” he said. what works,” he said. breaches didn’t result in the danger is,” he said. “The study Indeed, while the new sur- Businesses have been argu- identity theft free-for-all many emphasizes the types of vey provides some comforting ing against stricter notification had feared. The odds are less breaches [that] businesses and insight on the real and perceived laws, saying the cost would be than one in 1,000 that misuse or government need to look at dangers of breaches of infor- prohibitive and that notifica- fraud will be detected for indi- closely and take seriously.” mation, large and small, con- tions should be limited to viduals whose sensitive infor- What constitutes a higher- sumers need to actively monitor breaches that threaten a signif- mation is compromised in cases risk intentional breach? The and protect their sensitive finan- icant risk of identity theft. Cali- of large-scale security breaches. riskiest category is one-on-one cial information. fornia was the first state to Identity theft was more crimes, where a thief targets a A 2005 study by Javelin require all companies to send common when there was an victim to steal identification or Strategy & Research, a Pleasan- notifications when security intentional effort to steal infor- account information. When ton, Calif., consulting firm, found breaches are detected. mation, as opposed to security information on thousands of that when people monitor their John Hall, a spokesman for lapses that occurred by acci- individuals is stolen, however, accounts online, they are far the American Bankers Associa- dent, the study found. So, for the chances of one person in less likely to be victims of fraud. tion in Washington, contends example, you’re more likely to that group becoming a victim The average paper and mail loss that businesses should be the be a victim if a thief intentionally falls considerably, according to to identity theft and fraud was ones to determine whether noti- steals a laptop to access the the study. $4,500, said Jim Van Dyke, a fications are warranted. Regu- sensitive consumer data it “As you pass information principal at Javelin, while the lators require that financial holds, rather than if the thief stolen on 200 people or more in average loss suffered by victims services firms send notifications steals the laptop simply to hock one incident, the risk drops off who detected crime online was only when the companies con- it for cash. sharply,” Foley said. $551. sider the security breaches a The study comes in the “The difference is people risk to the individuals involved. wake of a series of highly pub- CONSUMERS NEED TO are detecting the fraud and con- “We feel that a plethora of licized mass security breaches STAY ON GUARD tacting their financial institu- unnecessary warnings runs the last year, which raised concerns Beth Givens, director of the tions sooner,” he said, “and not risk of creating a ‘cry-wolf’ men- about the potential for wide- Privacy Rights Clearinghouse in sending checks or other per- tality, where consumers begin to spread identity theft. Last June, San Diego, warns that the study sonal information through the ignore notifications whether for example, MasterCard Inter- is a relatively small sampling, mail.” they’re serious or not,” Hall said. national Inc. reported that some- and that the results may lull Mike Zaneis, a lobbyist with one had broken into the consumers and lawmakers into TOO MANY the U.S. Chamber of Commerce, computer network of CardSys- believing the threat of identity NOTIFICATIONS, which is working with several tems Solutions Inc., an Atlanta theft posed by these types of OR NOT ENOUGH? congressional committees to company that processes credit- data security breaches is incon- ID Analytics’ findings come secure a national flexible notifi- card transactions. The breach sequential. just as a number of bills are CONTINUED ON PAGE 11
INSIGHTS: SECURITY MARCH 2006 10 “Even if consumers are educated and do everything they can, they can still be hit by an identity thief. We have to be careful not to blame the victim.”
SECURITY
BANKS SEEKING SOFTWARE ware include Schufa Holding AG, a German questions or add extra one-time passcodes CONTINUED FROM PAGE 3 credit-reporting company, and the Swedish that customers determine with a credit card- a menu of user-verification methods banks government. sized token. can choose from to beef up security on trans- For low-risk transactions, such as a pay- Entrust also uses ideas similar to those actions they deem risky. It has sold Identi- ment to a utility company, banks may be con- from PassMark, which supplies security soft- tyGuard to Miami-based Commercebank tent to verify that the user is connecting via ware to Bank of America Corp. Its system NA, a unit of Mercantil Servicios Financieros a previously authorized computer. In more displays a photo of a local bank site that is pre- of Venezuela, and a number of European risky situations, or if the computer check selected by the customer, so he can be confi- banks. European customers of Entrust’s soft- fails, Entrust’s system can ask preset security dent he isn’t visiting an impostor site.
IDENTITY THEFT latest survey found. The reason: Zero-liability itoring products, paper shredders, and the CONTINUED FROM PAGE 4 clauses and other protections often shield ability to bank online. Nearly 70% of the consumers from the direct costs of credit- respondents to the Javelin survey said they ABSORBING THE BLOW card fraud and other forms of identity theft. shred documents containing identity data. Consumers can suffer mightily when To combat the theft threat, many banks, Mari Frank, an attorney and privacy fraudulent activity isn’t discovered for wireless providers and credit-card companies consultant, said the onus should be on busi- months or years. In cases where consumers have turned to technologies that assign iden- nesses to cut down on identity crime. Like don’t discover they are victims until they are tity scores to new applications and fraud many consumer advocates, she supports turned down on a new credit application, for scores to suspicious transactions. Similar to state laws that force companies to disclose example, they ended up paying an average of credit scores, which seek to determine how data breaches and allow consumers to freeze $1,391 in losses and spent 98 hours clearing likely an individual is to default on a loan, access to their credit reports. up their record, the survey found. On aver- these scoring models seek to ensure that “Even if consumers are educated and do age, victims bore $422 in costs, down from new and existing customers really are who everything they can, they can still be hit by $675 in 2004, and spent 40 hours resolving they say they are. an identity thief,” she said. “We have to be the matter, up from 28 in 2004. Consumers have many tools at their careful not to blame the victim.” Businesses absorbed 93% of the financial disposal, too. Among them: access to free damage, or just under $6,000 per victim, the credit reports and a variety of credit-mon- Siobhan Hughes contributed to this article.
SIX BANKS TEAM UP Under the new program, In practice, banks could level of encryption a provider CONTINUED FROM PAGE 3 called the Financial Institution decide on a standard level of uses to secure data and how ers, in part because of pressure Shared Assessments Program, security and protection they often it updates its antivirus from regulations such as the the banks have set up a stan- would need for, say, online software. Sarbanes-Oxley U.S. corporate dard process for assessing the banking services. Working with The banks last year ran a governance act. level of security at a computer- auditors, banks could approach trial with five services providers, “We need to go back down- service provider. By banding a provider such as IBM and test, including IBM, Acxiom Corp., stream to the providers of those together, the banks said they among other areas, the secu- First Data Corp., Viewpointe and services to make sure we have can set minimum standard rity protecting databases that Yodlee Inc. protections in place,” said Don- guidelines for the industry as a hold customers’ account infor- ald Monks, vice chairman at whole and have more sway over mation. The assessment could Amy Schatz in Washington Bank of New York. service providers. also include queries about the contributed to this article.
DATA BREACHES fidence in a certain company, nated a relationship with a com- nesses create a liability issue CONTINUED FROM PAGE 10 and of course we want to avoid pany after being notified of a when they don’t share informa- cation standard, said too many that,” he said, noting that a security breach, and 40% said tion about lost or stolen data: notifications may raise unnec- recent survey by privacy- they were thinking about ter- “The companies need to ana- essary concerns about the com- research organization Ponemon minating the relationship. lyze the information exposed, panies who have suffered data Institute, sponsored by the law Foley, a consumer advocate, notify [consumers], give them breaches. firm White & Case of New York, argues that notifications are the information necessary to “Certainly there is a poten- found that nearly 20% of necessary for any breaches, offset potential problems and tial to erode the consumer con- respondents said they termi- regardless of size, and that busi- then just let it go.”
INSIGHTS: SECURITY MARCH 2006 11 “Every player in this market is going to have to play their best game. There’s going to be no room for an inferior product.”
SECURITY
DATA THEFT ering outside security services.“Outsourced Companies, such as Websense Inc., now CONTINUED FROM PAGE 1 security is not only more palatable, but more a Microsoft partner, could someday become recognize that government is going to impose desirable” among businesses today, said a competitor. The anti-spyware vendor, security on them or they can do it them- Schmidt.“One of the big things this year will which announced a new version of its Web selves.” be managed services.” Security Suite at the RSA Conference, Many firms are taking on the task. “I’m That’s because companies have increased recently struck a marketing partnership with trying to become as proactive as possible,” security budgets to invest in technology but Microsoft’s Internet Security and Accelera- said Nick Fitzpatrick, network manager at the feel they are fighting just as hard as they tion Server 2006. But the ground rules could law firm of Laughlin Falbo Levy & Moresi have in the past. They are asking,“How do I change if Microsoft were to integrate its own LLP.“I want to keep people out.” make my investments better?” said John anti-spyware software into the server. That has meant adopting software to Pironti, principal security consultant at “We’re poised to weather the Microsoft record keystrokes at an infected computer. Unisys Corp.“How do I monitor and meas- gorilla,” said Patrick Hinojosa, chief tech- Computer technicians can then follow the ure the effectiveness” of the controls they put nology officer of anti-virus company Panda spread of an infection. It has also led to the into place? Software International S.L. of Spain. But installation of an upgraded firewall and Vendors attending the show said they will “Microsoft is going to pressure the pricing intrusion-prevention software from Deter- unveil continued improvements to their model.” mina Inc. Intrusion-prevention software security product lines. But few companies Other observers wonder whether the attempts to identify and respond to threats boast of new product areas or a transforma- increasing competition will distract the when they enter a company’s network. tion as notable as Microsoft’s. industry from solving security concerns, Product improvements have been evo- The company has been berated over the such as identity theft.“I would hate to see it lutionary, not revolutionary, said Fitzpatrick. past five years for writing software fraught turn into something ugly,” said Schmidt. “I There have been improvements, but no big with security vulnerabilities. Now its software worry about that.” changes. quality is improving. “Ironically, Microsoft Symantec recently unveiled its own plans Companies are using more elaborate seems to be leading the charge in that area,” for an anti-virus service to compete with defenses. One new approach makes use of said Brian Cohen, CEO of the SPI Dynamics, OneCare Live. The product, Genesis, is two-factor authentication, a procedure that a private Atlanta-based security company. scheduled for the fall and will include anti- requires computer users to provide two The company’s product push will spark spyware, backup, firewall and intrusion forms of identification, said Howard heightened competition across the indus- detection software. Schmidt, CEO of R&H Security Consulting try, specifically against anti-virus vendors Director of Product Management Tom LLC and a former White House cyber secu- Symantec Corp. and McAfee Inc. “Every Powledge said Genesis will have a greater rity official. One form of identification might player in this market is going to have to play depth and broader range of technologies. be a smart card - a plastic credit card with a their best game,” said Michael Cherry, lead “We are prepared to compete [and] we are semiconductor chip storing individual infor- analyst at the research firm Directions On prepared to innovate,”he said.“Symantec has mation - and the other a PIN. Microsoft.“There’s going to be no room for a long history of innovating on top of Businesses also are increasingly consid- an inferior product.” Microsoft operating systems.”
REGISTRATION FORM Insights:Security presented by unisys
YES! I’d like to receive a complimentary copy of Insights. Please fill out the form below and fax to 866.291.1300. EDITOR Chad White CONTRIBUTORS NAME Mark Boslet, Christopher Conkey, Terri Cullen, Kevin J. Delaney, ADDRESS Robert A. Guth, Siobhan Hughes, Riva Richmond, Amy Schatz, CITY STATE ZIP COUNTRY Michael Totty, Vauhini Vara and Campion Walsh
PHONE EMAIL Insights: Security Published by Dow Jones You can also register at djnewsletters.com/RegisterInsights.aspx, or by sending your request (with the infor- Copyright 2006, Dow Jones & Co., Inc. mation above) to [email protected], or by calling us at 866.291.1800. djnewsletters.com/RegisterInsights.aspx
INSIGHTS: SECURITY MARCH 2006 12