At the end of January, the Market Research Society (MRS) launched an initiative called Fair Data.

Existing MRS Company Partners (who are already subject to the MRS Code of Conduct), and others who apply and pass an assessment by the MRS of their "policies and procedures", must firstly adhere to the 10 principles and secondly must "use the Fair Data mark in all relevant dealings with customers and respondents". The 10 principles relate to the following topics:

1. Consent
2. Purpose
3. Access
4. Security
5. Respect
6. Sensitive personal data
7. Supply chain
8. Ethics
9. Staff training
10. Default to not using personal data unless there is adherence to the above nine principles

So the scheme does not include all eight data protection principles but some extra business process requirements. Perhaps this is because the trust mark has been designed "to be used internationally".

The scheme seems to have some initial endorsements, but these type of things won't work unless there is a large adoption so that consumers and others recognise the mark, and that is backed up by verifiable evidence that it makes a difference. I am not sure if this "kite mark" or "trust seal" is the one to make everyone confident about use of their personal data.

Nominet, the .uk internet registry, is consulting on a proposal to create unlimited second level domains (SLDs) using .uk (e.g. clerkendweller.uk instead of clerkendweller.co.uk).

The consultation document steps through the proposals and asks for responses to a number of aspects:

• Security
• Verification of registrant contact data
• Third level sub-domains
• Reserved and protected names
• Phased release and rights management
• Channel to market
• Existing second level domains
• General views

The security section proposes malware monitoring and notification, a mandatory digital signature to prevent the hijacking of a domain name (DNSSEC), and discusses how the new SLDs could be used as a trust mark. This would appear to reflect ideas published by the House of Commons Science and Technology Committee for a software security kitemark (at least for web sites).

I welcome the idea of building trust, but the bar is far too low.

I do not believe use of DNSSEC, initial and subsequent periodic verification of contact details, combined with some sort of commercial malware monitoring and notification are sufficient indicators of the safety of a web site for users and their data. The spread of malware is not the only risk to web site users. Trust needs to consider availability, prevention of misuse, protection of the data from breaches in confidentiality, maintenance of accuracy, and compliance with various mandates (e.g. legislative, regulatory and contractual such as PCI DSS). The processes for web site development, configuration and operation can all affect users and their data. These issues require a balanced combination of administrative, technical and physical controls, and thus are are not simple and cannot be determined by an automated scan.

Whatever measures are finally agreed, they should apply to new registrations and renewals of third level domains (e.g. co.uk and org.uk), not just for the proposed SLDs. Otherwise lack of trust in the current domains will undermine trust in the others.

The consultation closes on 7th January 2013. Responses can be sent by post, email or using an online form.

I am looking forward to the upcoming OWASP AppSec Research 2012 in Athens from 10th-13th July. The organising team have put on a great programme.

My main participation in the four days of activities will be:

• Delivering a one-day training course Application Attack Detection & Response — A Hands-on Planning Workshop which will train you how to plan the implementation of application-layer intrusion detection through a series of team-based exercises
• Presenting a talk entitled Tricolour Alphanumerical Spaghetti which will describe how weaknesses in applications can be classified, common practices and what you should really do
• Hosting a networking event on behalf of the OWASP Global Industry Committee to discuss and share information concerning good application security amongst business managers in a vendor-free environment

I hope you are attending both the training programme and three-track conference, so please flag me down and say hello. Registration is open, and there are conference discounts for OWASP, ISACA and ISC2 members, and also for students.

ENISA, the European Network and Information Security Agency, has published a report on the economics of privacy.

Study on Monetising Privacy - An Economic Model for Pricing Personal Information examines approaches used to analyse the interaction of personalisation, privacy concerns and competition between online service providers. The report describes existing work on the economics of privacy, discusses a theoretical model and the results of experiments to validate versions of different the model.

The research found that consumers are making economic decisions based on personal data exposure, but there is a need for flexibility from regulators and transparency in services, to enable a more efficient privacy market.

Today I came across a useful marketing-related discussion of common e-commerce trustmarks.

Which E-commerce Trustmarks Are Most Effective? describes a study of twenty different security-related trustmarks that cover SSL certificates, payment card merchant identity, business accreditation and that all-embracing term "security".

The 150 US respondents identified which logos they recognised, and then ranked them according to level of "reassurance". Very few trustmarks were actually recognisable, but those that were appeared to provide some level of increased trust. Of course, the top three (PayPal, Verisign and McAfee) are different types of thing — a payment service provider, an SSL certification authority and a site information security scanning service. Maybe it doesn't matter what service you provide as long as it is recognisable?

The blog post also lists other ways to increase user trust, and suggests that good checkout design can trump trustmark logos.

No mention of browser SSL indicators, security labelling, national reputation or HTTP security headers! And neither are having lots of credit card logos displayed nor "PCI DSS compliant" beside a PCI SSC logo which of course aren't trustmarks, but are used as such by some organisations.

Maybe UK customers would respond differently?

Further to the recent guidance and announcement of enforcement plans, the first demonstration of what this might entail for web sites which undertake user-tracking or store user data, has been revealed.

The UK Information Commissioner's Office (ICO) utilises up to six cookies on the ICO web site (four relating to Google Analytics). Alexis Fitzgerald discusses the implementation in his Web Application Security - From The Start blog. There is no cookie to say you have opted out of accepting cookies — which is good — but for now the site does leave that rather annoying message at the top of every page which persists in the print version too. Giving consent also sets a cookie "ICOCookiesAccepted".

I see the ICO has stated the session identifier "ASP.NET_SessionId" is an "essential site cookie". It is set by default as soon as you visit the site, and thus presumably is exempt from the regulations for consent due to being "strictly necessary for the provision of an information society service". Take note.

Well, many web sites manage not to use session identifiers except in a subset of the site, such as for authentication and authorisation checks in areas limited to certain users. I wonder whether there really is any functionality on the ICO web site which really requires this session cookie to work?

Putting that aside, the cookie is "session-only" and should be destroyed when the browser is closed. But some web browsers are not routinely closed, and this would leave evidence that the site had been visited. In the case of the ICO web site, it would almost always be an insignificant matter, but there could be situations when even accessing the this might be deemed unacceptable or suspicious, leading to some sort of potential harm to an individual. Other web sites are likely to copy the ICO approach, so it is interesting the ICO has not removed the need for a session identifier cookie for general site browsing.

My baseline tips for cookies used for session management would be:

• Have only one session management cookie if possible
• Ensure session management cookie(s) expire automatically
• Destroy sessions server-side once they have expired, or when their use is no longer required, and after a fixed time period
• Do not store any personal data or business data in the cookie value — just store a long highly-random, difficult to predict identifier which has some meaning server-side
• Restrict session cookie scope to the site's particular domain and URL path
• Set the HTTPOnly, and if SSL is used SSLOnly, cookie attribute
• And preferably, limit where session identifiers are required (i.e. not the whole site)

These are just a starting point. If the session management cookie is part of authentication processes, there are further recommendations for implementation.

No doubt, additional advice on the new cookie regulations and standard practices will be forthcoming in due course. Of course, the ICO could have removed client-side web analytics completely, reducing the number of cookies to one (and this may not really be required either).

As mentioned previously, the new UK regulations on cookies, etc came into force today, 26th May 2011.

The Information Commissioners Office (ICO) announced yesterday that web site owners will have up to a year to comply with the law. The ICO also published guidance on its approach to enforcing the new rules and other powers as part of the revised the Privacy and Electronic Communications Regulations (PECR), which are subject to its own Data Protection Regulatory Action Policy.

In December I mentioned Nominet had begun a policy review jointly with the UK-wide Serious Organised Crime Agency (SOCA), concerning Dealing with Domain Names Used in Connection with Criminal Activity.

Since the announcement in December, Nominet has received over 200 written responses to the brief and also met with some groups to hear their views and concerns. Last month, Nominet invited stakeholders to take part in the issue group and the list of participants has now been announced. Their first meeting will be on the 4th April 2011.

To aid the discussion, Nominet appointed an independent expert to review the responses received to date, summarise them and also set the issue in the appropriate legal context. The background report has been published, and Nominet are seeking feedback on its completeness before the end of next week (31 March). Section 3 lists 13 suggested questions for the issue group to focus on.

The reason I mention this topic again, is because the 19-page background report is really an excellent read, and although not legal advice (of course!), it does give a good insight into some of the most important legal issues of operating a web site in the UK e.g. the diverse range of organisations in the supply chain (or "value chain" as it is referred to in the report), contractual obligations of registrars, extraterritorial effects, and useful reminders about the implications of the Digital Economy Act 2010 and the Terrorism Act 2000.

The report also includes good nuggets of information such has how various agencies interact with Nominet, and that Nominet has "locked" 2,667 domains to date. If you do just two things today, check domains are registered under your own organisation's name and ensure all the details provided to Nominet, and other registries, have been recorded accurately.

Update 24th March 2011: The link to the background report has been altered, following the discovery by Nominet of an error in the original text.

The ecosystem of malware production and infection may not be of interest to everyone, but a new report from Symantec provides a great insight, if you are interested or need to know.

Attack Kits and Malicious Websites (report PDF) describes attack methods, kit types and the evolution of these crimeware kits. The features and method of traffic generation are discussed, together with an excellent section on the prevalence of attack kits, malicious web sites and attack kit popularity. The top three most attacked vulnerabilities all affected web browser plug-ins, and out of five unpatched vulnerabilities used, five of these affected browser plug-ins; and all of these could be used in drive-by malware installation where a user only has to visit a page without any other action required.

Note that the web sites hosting the malicious code are a combination of intentionally malicious web sites, and legitimate web sites which have been compromised for malicious purposes.

The report includes some advice for systems administrators and end users on protective measures, although it is light on advice for preventing your own web site becoming compromised.

If you are interested in cyber fraud or how to detect it, and want to read more extensively, I'd recommend Cyber Fraud: Tactics, Techniques and Procedures, Auerbach Publications, 2009 (ISBN 978-1-420-09127-1), and Detecting Malice, Robert Hansen, SecTheory, 2009 (ISBN 978-0-557-18733-1).

It seems we can't go a day without hearing something about cyber threats or cyber war in the mainstream press. But what's the reality?

The World Economic Forum (WEF) published its annual report on global risks in advance of the WEF Annual Meeting 2011 this week in Davos. Cyber security (encompassing online data and information security and critical information infrastructure breakdown) was listed as one of five "risks to watch", which "may surprise or overwhelm us" due to varying levels of confidence in the likelihood of significant impact but which "experts considered may have severe, unexpected or under appreciated consequences". The report discusses cyber theft, cyber espionage, cyber war and cyber terrorism specifically but also warns about design flaws in internet-connected smart systems. Cyber security doesn't however make it into the report's Top 10 risks by likelihood and impact combined (Table 5, page 44).

Meanwhile the Organisation for Economic Co-operation and Development (OECD) published a report Reducing Systemic Cybersecurity Risk. This is an output of the OECD Future Global Shocks project which is looking at options for governments to enhance capacity to identify, anticipate, control, contain and/or mitigate large disasters. The report is at a greater level of detail than the high-level WEF document, . The report concludes that there are very few single cyber-related events have the capacity to cause a global shock, but that governments should make detailed preparations to withstand and recover from a wide range of unwanted accidental and deliberate cyber events. Most breaches of cyber security (e.g. malware infestations, distributed denial of service, espionage, actions of criminals, recreational hackers and hacktivists) are expected to be relatively localised and short-term in impact.

Comforted? Remember that "local and short term" on a world leader's global scale might be the whole of your business or market. Assess the risks, and make decisions based on your own context.

If you want further advice on dealing with cyber security incidents, last week the European Network and Information Security Agency (ENISA) published its Good Practice Guide for Incident Management. Although it is aimed at national/governmental Computer Emergency Response Teams (CERTs), it contains good practices, practical information and guidelines for the management of network and information security incidents which are of use to a wider audience. See also the NIST Special Publications (800 Series) for more documents like this.