FYI - IM threats to
increase next year - Cybercriminals will become yet more
sophisticated in 2006, discovering new vulnerabilities in instant
messaging systems and mobile security, one firm noted in a year-end
study. MessageLabs warned that malicious users will increasingly
target IM in the next year, calling it a "widening backdoor" to
infect enterprises with spam and trojan attacks.
FYI - Broadcom engineer
indicted on alleged theft of trade secrets - An engineer has been
indicted by the U.S. Attorney for the Northern District of
California for allegedly committing theft and unauthorized
downloading of trade secrets. The indictment alleges that a former
employee of Netgear Inc. committed computer fraud by downloading
dozens of proprietary files from Marvell Semiconductor Inc.'s
Extranet in May after accepting a position with Marvell's
competitor, Broadband Corp.
FYI - National Australia
Bank customers baited in email 'phishing' scam - ONLINE fraudsters
have targeted National Australia Bank customers over Christmas with
a flood of hoax emails designed to trick account holders into
revealing their internet banking details.
FYI - Encryption: A nice
idea that few want to implement? - Companies are not embracing
encryption as a way to protect sensitive data. According to Ponemon
Institute's 2005 National Encryption Survey, only 4.2% of companies
responding to our survey say their organizations have an
enterprisewide encryption plan.
FYI - Sweaty hands might
make you unpopular as a dance partner, but they could someday
prevent hackers from getting into your bank account. Researchers at
Clarkson University have found that fingerprint readers can be
spoofed by fingerprint images lifted with Play-doh or gelatin or a
model of a finger molded out of dental plaster. The group even
assembled a collection of fingers cut from the hands of cadavers.
FYI - Lost and found:
DHL returns missing data tape - A missing backup tape holding
valuable data on 2 million mortgage customers has been found, but
with the original airbill missing. Though it's unlikely that
customer data was compromised, the company has urged affected
customers to monitor their credit activity.
FYI - IT security
professionals moving up the corporate pecking order - Ultimate
responsibility for information security is moving up corporate
management hierarchies, as board-level directors and CEOs - or CISO/CSOs
- are increasingly held accountable for safeguarding IT
infrastructures, new research has revealed.
FYI - Computers with patients'
information stolen from office - A medical office has warned about
700 patients that their personal data may have been compromised by
the theft of six computers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Requirements of Depository Institutions (Regulation D)
Pursuant to the withdrawal and transfer restrictions imposed on
savings deposits, electronic transfers, electronic withdrawals (paid
electronically) or payments to third parties initiated by a
depositor from a personal computer are included as a type of
transfer subject to the six transaction limit imposed on passbook
savings and MMDA accounts.
Institutions also should note that, to the extent stored value or
other electronic money represents a demand deposit or transaction
account, the provisions of Regulation D would apply to such
Consumer Leasing Act (Regulation M)
The regulation provides examples of advertisements that clarify the
definition of an advertisement under Regulation M. The term
advertisement includes messages inviting, offering, or otherwise
generally announcing to prospective customers the availability of
consumer leases, whether in visual, oral, print, or electronic
media. Included in the examples are on-line messages, such as those
on the Internet. Therefore, such messages are subject to the general
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Shared Secret Systems (Part 2 of 2)
Weaknesses in shared secret mechanisms generally relate to the ease
with which an attacker can discover the secret. Attack methods vary.
! A dictionary attack is one common and successful way to discover
passwords. In a dictionary attack, the attacker obtains the system
password file, and compares the password hashes against hashes of
commonly used passwords.
Controls against dictionary attacks include securing the password
file from compromise, detection mechanisms to identify a compromise,
heuristic intrusion detection to detect differences in user
behavior, and rapid reissuance of passwords should the password file
ever be compromised. While extensive character sets and storing
passwords as one - way hashes can slow down a dictionary attack,
those defensive mechanisms primarily buy the financial institution
time to identify and react to the password file compromises.
! An additional attack method targets a specific account and submits
passwords until the correct password is discovered.
Controls against those attacks are account lockout mechanisms, which
commonly lock out access to the account after a risk - based
number of failed login attempts.
! A variation of the previous attack uses a popular password, and
tries it against a wide range of usernames.
Controls against this attack on the server are a high ratio of
possible passwords to usernames, randomly generated passwords, and
scanning the IP addresses of authentication requests and client
cookies for submission patterns.
! Password guessing attacks also exist. These attacks generally
consist of an attacker gaining knowledge about the account holder
and password policies and using that knowledge to guess the
Controls include training in and enforcement of password policies
that make passwords difficult to guess. Such policies address the
secrecy, length of the password, character set, prohibition against
using well - known user identifiers, and length of time before the
password must be changed. Users with greater authorization or
privileges, such as root users or administrators, should have
longer, more complex passwords than other users.
! Some attacks depend on patience, waiting until the logged - in
workstation is unattended.
Controls include automatically logging the workstation out after a
period of inactivity (Existing
industry practice is no more than 20 - 30 minutes) and
heuristic intrusion detection.
! Attacks can take advantage of automatic login features, allowing
the attacker to assume an authorized user's identity merely by
using a workstation.
Controls include prohibiting and disabling automatic login features,
and heuristic intrusion detection.
! User's inadvertent or unthinking actions can compromise
passwords. For instance, when a password is too complex to readily
memorize, the user could write the password down but not secure the
paper. Frequently, written - down passwords are readily accessible
to an attacker under mouse pads or in other places close to the
user's machines. Additionally, attackers frequently are successful
in obtaining passwords by using social engineering and tricking the
user into giving up their password.
Controls include user training, heuristic intrusion detection, and
simpler passwords combined with another authentication mechanism.
! Attacks can also become much more effective or damaging if
different network devices share the same or a similar password.
Controls include a policy that forbids the same or similar password
on particular network devices.
Return to the top of the
6. Determine whether appropriate segregation
exists between the responsibility for networks and the
responsibility for computer operations.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Consumer and Customer:
A "customer" is a consumer who has a "customer
relationship" with a financial institution. A "customer
relationship" is a continuing relationship between a consumer
and a financial institution under which the institution provides one
or more financial products or services to the consumer that are to
be used primarily for personal, family, or household purposes.
For example, a customer relationship may be established when a
consumer engages in one of the following activities with a financial
1) maintains a deposit or investment account;
2) obtains a loan;
3) enters into a lease of personal property; or
4) obtains financial, investment, or economic advisory
services for a fee.
Customers are entitled to initial and annual privacy notices
regardless of the information disclosure practices of their
There is a special rule for loans. When a financial institution
sells the servicing rights to a loan to another financial
institution, the customer relationship transfers with the servicing
rights. However, any information on the borrower retained by the
institution that sells the servicing rights must be accorded the
protections due any consumer.
Note that isolated transactions alone will not cause a consumer to
be treated as a customer. For example, if an individual purchases a
bank check from a financial institution where the person has no
account, the individual will be a consumer but not a customer of
that institution because he or she has not established a customer
relationship. Likewise, if an individual uses the ATM of a financial
institution where the individual has no account, even repeatedly,
the individual will be a consumer, but not a customer of that